diff --git a/packages/carbon_black_cloud/1.0.3/changelog.yml b/packages/carbon_black_cloud/1.0.3/changelog.yml
new file mode 100755
index 0000000000..83c0fdd168
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/changelog.yml
@@ -0,0 +1,36 @@
+# newer versions go on top
+- version: "1.0.3"
+ changes:
+ - description: Add correct field mapping for event.created
+ type: bugfix
+ link: https://github.com/elastic/integrations/issues/3579
+- version: "1.0.2"
+ changes:
+ - description: Fix dashboard issues.
+ type: bugfix
+ link: https://github.com/elastic/integrations/issues/3462
+- version: "1.0.1"
+ changes:
+ - description: Change event.outcome value from failure to failed according to ECS
+ type: bugfix
+ link: https://github.com/elastic/integrations/issues/3407
+- version: "1.0.0"
+ changes:
+ - description: Make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3428
+- version: 0.1.2
+ changes:
+ - description: Add "VMware" to the title to make it "VMware Carbon Black Cloud".
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3196
+- version: 0.1.1
+ changes:
+ - description: Captured domain from username and hostname
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3106
+- version: 0.1.0
+ changes:
+ - description: Initial draft of the package.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2760
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.3/data_stream/alert/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.3/data_stream/alert/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..2f738b21a6
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,52 @@
+config_version: 2
+interval: {{interval}}
+request.timeout: 2m
+request.method: POST
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/appservices/v6/orgs/{{org_key}}/alerts/_search
+request.transforms:
+ - set:
+ target: header.X-Auth-Token
+ value: {{custom_api_secret_key}}/{{custom_api_id}}
+ - set:
+ target: body.criteria.last_update_time.start
+ value: '[[.cursor.last_update_timestamp]]'
+ default: '[[formatDate ((now (parseDuration "-{{initial_interval}}")).Add (parseDuration "-15m")) "RFC3339"]]'
+ - set:
+ target: body.criteria.last_update_time.end
+ value: '[[formatDate (now (parseDuration "-15m")) "RFC3339"]]'
+ - set:
+ target: body.sort
+ value: '[{ "field": "last_update_time", "order": "ASC"}]'
+ value_type: json
+response.pagination:
+ - set:
+ target: body.criteria.last_update_time.start
+ value: '[[if (ne .last_response.body.num_found .last_response.body.num_available)]][[.last_event.last_update_time]][[else]][[.last_response.terminate_pagination]][[end]]'
+ fail_on_template_error: true
+cursor:
+ last_update_timestamp:
+ value: '[[.last_event.last_update_time]]'
+response.split:
+ target: body.results
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.3/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f6f5fc171e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,313 @@
+---
+description: Pipeline for parsing Carbon Black Cloud alerts.
+processors:
+ - set:
+ field: ecs.version
+ value: "8.0.0"
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - fingerprint:
+ fields:
+ - json.id
+ - json.create_time
+ - json.last_update_time
+ target_field: _id
+ ignore_missing: true
+ - date:
+ field: json.create_time
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - set:
+ field: event.kind
+ value: alert
+ - rename:
+ field: json.id
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: json.first_event_time
+ target_field: event.start
+ ignore_missing: true
+ - rename:
+ field: json.last_event_time
+ target_field: event.end
+ ignore_missing: true
+ - rename:
+ field: json.severity
+ target_field: event.severity
+ ignore_missing: true
+ - urldecode:
+ field: json.alert_url
+ target_field: event.url
+ ignore_missing: true
+ - rename:
+ field: json.reason
+ target_field: event.reason
+ ignore_missing: true
+ - convert:
+ field: json.device_id
+ target_field: host.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.device_os == "WINDOWS"
+ - set:
+ field: host.os.type
+ value: linux
+ if: ctx?.json?.device_os == "LINUX"
+ - set:
+ field: host.os.type
+ value: macos
+ if: ctx?.json?.device_os == "MAC"
+ - set:
+ field: event.kind
+ value: alert
+ - rename:
+ field: json.device_os_version
+ target_field: host.os.version
+ ignore_missing: true
+ - rename:
+ field: json.device_name
+ target_field: host.hostname
+ ignore_missing: true
+ - grok:
+ field: host.hostname
+ patterns:
+ - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$'
+ ignore_missing: true
+ ignore_failure: true
+ - set:
+ field: host.name
+ value: "{{{host.hostname}}}"
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_internal_ip}}}"
+ if: ctx?.json?.device_internal_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_external_ip}}}"
+ if: ctx?.json?.device_external_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - rename:
+ field: json.device_username
+ target_field: user.name
+ ignore_missing: true
+ - grok:
+ field: user.name
+ patterns:
+ - '^(%{DATA:user.domain})\\(%{GREEDYDATA:user.name})$'
+ ignore_missing: true
+ ignore_failure: true
+ - append:
+ field: related.ip
+ value:
+ - "{{{json.device_internal_ip}}}"
+ - "{{{json.device_external_ip}}}"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value:
+ - "{{{user.name}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value:
+ - "{{{host.hostname}}}"
+ - "{{{user.domain}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hash
+ value:
+ - "{{{json.threat_cause_actor_md5}}}"
+ - "{{{json.threat_cause_actor_sha256}}}"
+ allow_duplicates: false
+ - rename:
+ field: json.process_name
+ target_field: process.name
+ ignore_missing: true
+ - rename:
+ field: json.process_path
+ target_field: process.executable
+ ignore_missing: true
+ - rename:
+ field: json.process_guid
+ target_field: process.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.vendor_name
+ target_field: carbon_black_cloud.alert.vendor_name
+ ignore_missing: true
+ - rename:
+ field: json.product_name
+ target_field: carbon_black_cloud.alert.product_name
+ ignore_missing: true
+ - rename:
+ field: json.serial_number
+ target_field: carbon_black_cloud.alert.serial_number
+ ignore_missing: true
+ - rename:
+ field: json.policy_id
+ target_field: carbon_black_cloud.alert.policy.id
+ ignore_missing: true
+ - rename:
+ field: json.policy_name
+ target_field: carbon_black_cloud.alert.policy.name
+ ignore_missing: true
+ - rename:
+ field: json.threat_id
+ target_field: carbon_black_cloud.alert.threat_id
+ ignore_missing: true
+ - rename:
+ field: json.policy_applied
+ target_field: carbon_black_cloud.alert.policy.applied
+ ignore_missing: true
+ - rename:
+ field: json.threat_activity_c2
+ target_field: carbon_black_cloud.alert.threat_activity.c2
+ ignore_missing: true
+ - rename:
+ field: json.threat_activity_dlp
+ target_field: carbon_black_cloud.alert.threat_activity.dlp
+ ignore_missing: true
+ - rename:
+ field: json.threat_activity_phish
+ target_field: carbon_black_cloud.alert.threat_activity.phish
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_name
+ target_field: carbon_black_cloud.alert.threat_cause.actor.name
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_process_pid
+ target_field: carbon_black_cloud.alert.threat_cause.actor.process_pid
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_sha256
+ target_field: carbon_black_cloud.alert.threat_cause.actor.sha256
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_actor_md5
+ target_field: carbon_black_cloud.alert.threat_cause.actor.md5
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_cause_event_id
+ target_field: carbon_black_cloud.alert.threat_cause.cause_event_id
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_parent_guid
+ target_field: carbon_black_cloud.alert.threat_cause.process.parent.guid
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_process_guid
+ target_field: carbon_black_cloud.alert.threat_cause.process.guid
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_reputation
+ target_field: carbon_black_cloud.alert.threat_cause.reputation
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_threat_category
+ target_field: carbon_black_cloud.alert.threat_cause.threat_category
+ ignore_missing: true
+ - rename:
+ field: json.threat_cause_vector
+ target_field: carbon_black_cloud.alert.threat_cause.vector
+ ignore_missing: true
+ - rename:
+ field: json.ioc_field
+ target_field: carbon_black_cloud.alert.ioc.field
+ ignore_missing: true
+ - rename:
+ field: json.ioc_hit
+ target_field: carbon_black_cloud.alert.ioc.hit
+ ignore_missing: true
+ - rename:
+ field: json.ioc_id
+ target_field: carbon_black_cloud.alert.ioc.id
+ ignore_missing: true
+ - rename:
+ field: json.report_id
+ target_field: carbon_black_cloud.alert.report.id
+ ignore_missing: true
+ - rename:
+ field: json.report_name
+ target_field: carbon_black_cloud.alert.report.name
+ ignore_missing: true
+ - rename:
+ field: json.org_key
+ target_field: carbon_black_cloud.alert.organization_key
+ ignore_missing: true
+ - rename:
+ field: json.device_location
+ target_field: carbon_black_cloud.alert.device.location
+ ignore_missing: true
+ - rename:
+ field: json.device_os
+ target_field: carbon_black_cloud.alert.device.os
+ ignore_missing: true
+ - rename:
+ field: json.device_internal_ip
+ target_field: carbon_black_cloud.alert.device.internal_ip
+ ignore_missing: true
+ - rename:
+ field: json.device_external_ip
+ target_field: carbon_black_cloud.alert.device.external_ip
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - lowercase:
+ field: json.category
+ ignore_missing: true
+ - script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.alert
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.alert[m.getKey()] = m.getValue();
+ }
+ - remove:
+ field:
+ - json
+ - carbon_black_cloud.alert.create_time
+ - carbon_black_cloud.alert.device_id
+ - carbon_black_cloud.alert.alert_url
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/base-fields.yml
new file mode 100755
index 0000000000..14fb618ea4
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.alert
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/ecs.yml b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/ecs.yml
new file mode 100755
index 0000000000..7963c28eb9
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/ecs.yml
@@ -0,0 +1,124 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ URL linking to an external system to continue investigation of this event.
+ This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+ name: event.url
+ type: keyword
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: Host ip addresses.
+ name: host.ip
+ type: ip
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: |-
+ Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+ One of these following values should be used (lowercase): linux, macos, unix, windows.
+ If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+ name: host.os.type
+ type: keyword
+- description: Operating system version as a raw string.
+ name: host.os.version
+ type: keyword
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.executable
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: user.domain
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/fields.yml
new file mode 100755
index 0000000000..3eca3a1515
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/fields/fields.yml
@@ -0,0 +1,218 @@
+- name: carbon_black_cloud.alert
+ type: group
+ fields:
+ - name: blocked_threat_category
+ type: keyword
+ description: The category of threat which we were able to take action on.
+ - name: category
+ type: keyword
+ description: The category of the alert.
+ - name: count
+ type: long
+ - name: created_by_event_id
+ type: keyword
+ description: Event identifier that initiated the alert.
+ - name: device
+ type: group
+ fields:
+ - name: location
+ type: keyword
+ description: The Location of device.
+ - name: os
+ type: keyword
+ description: OS of the device.
+ - name: internal_ip
+ type: ip
+ description: Internal IP of the device.
+ - name: external_ip
+ type: ip
+ description: External IP of the device.
+ - name: document_guid
+ type: keyword
+ description: Unique ID of document.
+ - name: ioc
+ type: group
+ fields:
+ - name: field
+ type: keyword
+ description: The field the indicator of comprise (IOC) hit contains.
+ - name: hit
+ type: keyword
+ description: IOC field value or IOC query that matches.
+ - name: id
+ type: keyword
+ description: The identifier of the IOC that cause the hit.
+ - name: kill_chain_status
+ type: keyword
+ description: The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert.
+ - name: last_update_time
+ type: date
+ description: The last time the alert was updated as an ISO 8601 UTC timestamp.
+ - name: legacy_alert_id
+ type: keyword
+ description: The legacy identifier for the alert.
+ - name: not_blocked_threat_category
+ type: keyword
+ description: Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule).
+ - name: notes_present
+ type: boolean
+ description: Indicates if notes are associated with the threat_id.
+ - name: organization_key
+ type: keyword
+ description: The unique identifier for the organization associated with the alert.
+ - name: policy
+ type: group
+ fields:
+ - name: applied
+ type: keyword
+ description: Whether a policy was applied.
+ - name: id
+ type: long
+ description: The identifier for the policy associated with the device at the time of the alert.
+ - name: name
+ type: keyword
+ description: The name of the policy associated with the device at the time of the alert.
+ - name: product_id
+ type: keyword
+ description: The hexadecimal id of the USB device's product.
+ - name: product_name
+ type: keyword
+ description: The name of the USB device’s vendor.
+ - name: reason_code
+ type: keyword
+ description: Shorthand enum for the full-text reason.
+ - name: report
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: The identifier of the report that contains the IOC.
+ - name: name
+ type: keyword
+ description: The name of the report that contains the IOC.
+ - name: run_state
+ type: keyword
+ description: Whether the threat in the alert ran.
+ - name: sensor_action
+ type: keyword
+ description: The action taken by the sensor, according to the rule of the policy.
+ - name: serial_number
+ type: keyword
+ description: The serial number of the USB device.
+ - name: status
+ type: keyword
+ description: status of alert.
+ - name: tags
+ type: keyword
+ description: Tags associated with the alert.
+ - name: target_value
+ type: keyword
+ description: The priority of the device assigned by the policy.
+ - name: threat_activity
+ type: group
+ fields:
+ - name: c2
+ type: keyword
+ description: Whether the alert involved a command and control (c2) server.
+ - name: dlp
+ type: keyword
+ description: Whether the alert involved data loss prevention (DLP).
+ - name: phish
+ type: keyword
+ description: Whether the alert involved phishing.
+ - name: threat_cause
+ type: group
+ fields:
+ - name: actor
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: MD5 of the threat cause actor.
+ - name: name
+ type: keyword
+ description: 'The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan.'
+ - name: process_pid
+ type: keyword
+ description: Process identifier (PID) of the actor process.
+ - name: sha256
+ type: keyword
+ description: SHA256 of the threat cause actor.
+ - name: cause_event_id
+ type: keyword
+ description: ID of the Event that triggered the threat.
+ - name: process
+ type: group
+ fields:
+ - name: guid
+ type: keyword
+ description: The global unique identifier of the process.
+ - name: parent
+ type: group
+ fields:
+ - name: guid
+ type: keyword
+ description: The global unique identifier of the process.
+ - name: reputation
+ type: keyword
+ description: Reputation of the threat cause.
+ - name: threat_category
+ type: keyword
+ description: Category of the threat cause.
+ - name: vector
+ type: keyword
+ description: The source of the threat cause.
+ - name: threat_id
+ type: keyword
+ description: The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices.
+ - name: threat_indicators
+ type: group
+ description: List of the threat indicators that make up the threat.
+ fields:
+ - name: process_name
+ type: keyword
+ description: Process name associated with threat.
+ - name: sha256
+ type: keyword
+ description: Sha256 associated with threat.
+ - name: ttps
+ type: keyword
+ description: Tactics, techniques and procedures associated with threat.
+ - name: type
+ type: keyword
+ description: Type of alert.
+ - name: vendor_id
+ type: keyword
+ description: The hexadecimal id of the USB device's vendor.
+ - name: vendor_name
+ type: keyword
+ description: The name of the USB device’s vendor.
+ - name: watchlists
+ type: group
+ description: List of watchlists associated with an alert.
+ fields:
+ - name: id
+ type: keyword
+ description: The identifier of watchlist.
+ - name: name
+ type: keyword
+ description: The name of the watchlist.
+ - name: workflow
+ type: group
+ description: Tracking system for alerts as they are triaged and resolved.
+ fields:
+ - name: changed_by
+ type: keyword
+ description: The name of user who changed the workflow.
+ - name: comment
+ type: keyword
+ description: Comment associated with workflow.
+ - name: last_update_time
+ type: date
+ description: The last update time of workflow.
+ - name: remediation
+ type: keyword
+ description: N/A
+ - name: state
+ type: keyword
+ description: The state of workflow.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/manifest.yml b/packages/carbon_black_cloud/1.0.3/data_stream/alert/manifest.yml
new file mode 100755
index 0000000000..477667ce22
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/manifest.yml
@@ -0,0 +1,95 @@
+title: Alert
+type: logs
+streams:
+ - input: httpjson
+ title: Collect alerts from Carbon Black Cloud
+ description: Collect alerts from Carbon Black Cloud.
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch alerts from Carbon Black Cloud.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ description: How far back to pull the alerts from the Carbon Black Cloud API.
+ default: 24h
+ multi: false
+ required: true
+ show_user: true
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-alert
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: aws-s3
+ title: Collect alerts from Carbon Black Cloud
+ description: Collect alerts from Carbon Black Cloud.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: bucket_list_prefix
+ type: text
+ title: Bucket Prefix
+ description: Prefix to apply for the list request to the S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch alerts from AWS S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-alert
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/alert/sample_event.json b/packages/carbon_black_cloud/1.0.3/data_stream/alert/sample_event.json
new file mode 100755
index 0000000000..67e2c63a32
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/alert/sample_event.json
@@ -0,0 +1,114 @@
+{
+ "@timestamp": "2020-11-17T22:05:13.000Z",
+ "agent": {
+ "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102",
+ "hostname": "docker-fleet-agent",
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "alert": {
+ "category": "warning",
+ "device": {
+ "external_ip": "81.2.69.143",
+ "internal_ip": "81.2.69.144",
+ "location": "UNKNOWN",
+ "os": "WINDOWS"
+ },
+ "last_update_time": "2020-11-17T22:05:13Z",
+ "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
+ "organization_key": "ABCD6X3T",
+ "policy": {
+ "applied": "APPLIED",
+ "id": 6997287,
+ "name": "Standard"
+ },
+ "product_id": "0x5406",
+ "product_name": "U3 Cruzer Micro",
+ "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
+ "run_state": "DID_NOT_RUN",
+ "sensor_action": "DENY",
+ "serial_number": "0875920EF7C2A304",
+ "target_value": "MEDIUM",
+ "threat_cause": {
+ "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
+ "threat_category": "NON_MALWARE",
+ "vector": "REMOVABLE_MEDIA"
+ },
+ "threat_id": "t5678",
+ "type": "DEVICE_CONTROL",
+ "vendor_id": "0x0781",
+ "vendor_name": "SanDisk",
+ "workflow": {
+ "changed_by": "Carbon Black",
+ "last_update_time": "2020-11-17T22:02:16Z",
+ "state": "OPEN"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.alert",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-14T11:46:13.154Z",
+ "dataset": "carbon_black_cloud.alert",
+ "end": "2020-11-17T22:02:16Z",
+ "id": "test1",
+ "ingested": "2022-04-14T11:46:14Z",
+ "kind": "alert",
+ "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}",
+ "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
+ "severity": 3,
+ "start": "2020-11-17T22:02:16Z",
+ "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976"
+ },
+ "host": {
+ "hostname": "DESKTOP-002",
+ "id": "2",
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "name": "DESKTOP-002",
+ "os": {
+ "type": "windows",
+ "version": "Windows 10 x64"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-002"
+ ],
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "user": [
+ "test34@demo.com"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-alert"
+ ],
+ "user": {
+ "name": "test34@demo.com"
+ }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..310b6e05d5
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,45 @@
+config_version: 2
+interval: {{interval}}
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.url: {{hostname}}/vulnerability/assessment/api/v1/orgs/{{org_key}}/devices/vulnerabilities/summary/_search
+request.transforms:
+ - set:
+ target: header.X-Auth-Token
+ value: {{custom_api_secret_key}}/{{custom_api_id}}
+ - set:
+ target: body.start
+ value: '0'
+ value_type: int
+ - set:
+ target: body.rows
+ value: '10000'
+ value_type: int
+request.timeout: 2m
+response.pagination:
+ - set:
+ target: body.start
+ value: '[[if (eq (len .last_response.body.results) 0)]][[.last_response.terminate_pagination]][[else]][[mul .last_response.page .body.rows]][[end]]'
+ value_type: int
+ fail_on_template_error: true
+response.split:
+ target: body.results
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..94f7482f37
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,132 @@
+---
+description: Pipeline for parsing Carbon Black Cloud Asset Vulnerability Summary.
+processors:
+- rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+- set:
+ field: ecs.version
+ value: '8.0.0'
+- json:
+ field: event.original
+ target_field: json
+- rename:
+ field: json.host_name
+ target_field: host.hostname
+ ignore_missing: true
+- convert:
+ field: json.device_id
+ type: string
+ target_field: host.id
+ ignore_missing: true
+- rename:
+ field: json.name
+ target_field: host.name
+ ignore_missing: true
+- rename:
+ field: json.os_info.os_name
+ target_field: host.os.name
+ ignore_missing: true
+- set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.os_info.os_type == "WINDOWS"
+- set:
+ field: host.os.type
+ value: ubuntu
+ if: ctx?.json?.os_info.os_type == "UBUNTU"
+- set:
+ field: host.os.type
+ value: centos
+ if: ctx?.json?.os_info.os_type == "CENTOS"
+- remove :
+ field: json.os_info.os_type
+ ignore_missing: true
+- remove :
+ field: json.device_id
+ ignore_missing: true
+- rename:
+ field: json.os_info.os_version
+ target_field: host.os.version
+ ignore_missing: true
+- rename:
+ field: json.highest_risk_score
+ target_field: vulnerability.score.base
+ ignore_missing: true
+- rename:
+ field: json.severity
+ target_field: vulnerability.severity
+ ignore_missing: true
+- date:
+ field: json.last_sync_ts
+ formats:
+ - ISO8601
+ target_field: carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp
+- remove:
+ field: json.last_sync_ts
+ ignore_missing: true
+- rename:
+ field: json.sync_status
+ target_field: carbon_black_cloud.asset_vulnerability_summary.sync.status
+ ignore_missing: true
+- rename:
+ field: json.sync_type
+ target_field: carbon_black_cloud.asset_vulnerability_summary.sync.type
+ ignore_missing: true
+- rename:
+ field: json.type
+ target_field: carbon_black_cloud.asset_vulnerability_summary.type
+ ignore_missing: true
+- rename:
+ field: json.vm_id
+ target_field: carbon_black_cloud.asset_vulnerability_summary.vm.id
+ ignore_missing: true
+- rename:
+ field: json.vm_name
+ target_field: carbon_black_cloud.asset_vulnerability_summary.vm.name
+ ignore_missing: true
+- rename:
+ field: json.vuln_count
+ target_field: carbon_black_cloud.asset_vulnerability_summary.vuln_count
+ ignore_missing: true
+- append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+- script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.asset_vulnerability_summary
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.asset_vulnerability_summary[m.getKey()] = m.getValue();
+ }
+- remove:
+ field: json
+ ignore_missing: true
+- script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+- remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_missing: true
+on_failure:
+- set:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/base-fields.yml
new file mode 100755
index 0000000000..e6791517a6
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: carbon_black_cloud.asset_vulnerability_summary
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/ecs.yml b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/ecs.yml
new file mode 100755
index 0000000000..536382d53b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/ecs.yml
@@ -0,0 +1,64 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: host.os.name
+ type: keyword
+- description: |-
+ Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+ One of these following values should be used (lowercase): linux, macos, unix, windows.
+ If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+ name: host.os.type
+ type: keyword
+- description: Operating system version as a raw string.
+ name: host.os.version
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+ Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+ name: vulnerability.score.base
+ type: float
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+ name: vulnerability.severity
+ type: keyword
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/fields.yml
new file mode 100755
index 0000000000..a70b2974e8
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/fields/fields.yml
@@ -0,0 +1,39 @@
+- name: carbon_black_cloud.asset_vulnerability_summary
+ type: group
+ fields:
+ - name: os_info
+ type: group
+ fields:
+ - name: os_arch
+ type: keyword
+ description: The identifier is for the Operating system architecture.
+ - name: last_sync
+ type: group
+ fields:
+ - name: timestamp
+ type: date
+ description: The identifier is for the Last sync time.
+ - name: sync
+ type: group
+ fields:
+ - name: status
+ type: keyword
+ description: The identifier is for the Device sync status.
+ - name: type
+ type: keyword
+ description: The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync.
+ - name: type
+ type: keyword
+ description: The identifier is for the Device type.
+ - name: vm
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: The identifier is for the Virtual Machine ID.
+ - name: name
+ type: keyword
+ description: The identifier is for the Virtual Machine name.
+ - name: vuln_count
+ type: integer
+ description: The identifier is for the Number of vulnerabilities at this level.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/manifest.yml b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/manifest.yml
new file mode 100755
index 0000000000..b7bf78f84d
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/manifest.yml
@@ -0,0 +1,42 @@
+title: Asset Vulnerability Summary
+type: logs
+streams:
+ - input: httpjson
+ title: Collect asset vulnerability summary from Carbon Black Cloud
+ description: Collect asset vulnerability summary from Carbon Black Cloud.
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to query asset vulnerability summary in Carbon Black Cloud.
+ multi: false
+ required: true
+ show_user: true
+ default: 1h
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-asset-vulnerability-summary
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/sample_event.json b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/sample_event.json
new file mode 100755
index 0000000000..c31987aefe
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/asset_vulnerability_summary/sample_event.json
@@ -0,0 +1,76 @@
+{
+ "@timestamp": "2022-04-14T11:47:25.371Z",
+ "agent": {
+ "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8",
+ "hostname": "docker-fleet-agent",
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "asset_vulnerability_summary": {
+ "last_sync": {
+ "timestamp": "2022-01-17T08:33:37.384Z"
+ },
+ "os_info": {
+ "os_arch": "64-bit"
+ },
+ "sync": {
+ "status": "COMPLETED",
+ "type": "SCHEDULED"
+ },
+ "type": "ENDPOINT",
+ "vuln_count": 1770
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-14T11:47:25.371Z",
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "ingested": "2022-04-14T11:47:26Z",
+ "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}"
+ },
+ "host": {
+ "hostname": "DESKTOP-008",
+ "id": "8",
+ "name": "DESKTOP-008KK",
+ "os": {
+ "name": "Microsoft Windows 10 Education",
+ "type": "windows",
+ "version": "10.0.17763"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-008"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-asset-vulnerability-summary"
+ ],
+ "vulnerability": {
+ "score": {
+ "base": 10
+ },
+ "severity": "CRITICAL"
+ }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/carbon_black_cloud/1.0.3/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..2693bd2bbb
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,32 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+
+request.url: {{hostname}}/integrationServices/v3/auditlogs
+request.transforms:
+ - set:
+ target: header.X-Auth-Token
+ value: {{api_secret_key}}/{{api_id}}
+response.split:
+ target: body.notifications
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..55cc7106f9
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,93 @@
+---
+description: Pipeline for parsing Carbon Black Cloud audit logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.eventTime
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - UNIX_MS
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.outcome
+ value: success
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx?.json?.flagged == true
+ - rename:
+ field: json.description
+ target_field: event.reason
+ - rename:
+ field: json.clientIp
+ target_field: client.ip
+ ignore_missing: true
+ - rename:
+ field: json.loginName
+ target_field: client.user.id
+ ignore_missing: true
+ - rename:
+ field: json.eventId
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: json.orgName
+ target_field: organization.name
+ ignore_missing: true
+ - urldecode:
+ field: json.requestUrl
+ target_field: url.original
+ ignore_missing: true
+ - rename:
+ field: json.verbose
+ target_field: carbon_black_cloud.audit.verbose
+ ignore_missing: true
+ - rename:
+ field: json.flagged
+ target_field: carbon_black_cloud.audit.flagged
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value: "{{{client.ip}}}"
+ allow_duplicates: false
+ - remove:
+ field: json
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/agent.yml b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..a14e71251a
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.audit
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..faa249743c
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,62 @@
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
+- description: Unique identifier of the user.
+ name: client.user.id
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: organization.name
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..24af5d42b9
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/fields/fields.yml
@@ -0,0 +1,9 @@
+- name: carbon_black_cloud.audit
+ type: group
+ fields:
+ - name: flagged
+ type: boolean
+ description: true if action is failed otherwise false.
+ - name: verbose
+ type: boolean
+ description: true if verbose audit log otherwise false.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/manifest.yml b/packages/carbon_black_cloud/1.0.3/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..929093a4ef
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/manifest.yml
@@ -0,0 +1,42 @@
+title: Audit
+type: logs
+streams:
+ - input: httpjson
+ title: Collect audit logs from Carbon Black Cloud
+ description: Collect audit logs from Carbon Black Cloud.
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch audit logs from Carbon Black Cloud.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-audit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/audit/sample_event.json b/packages/carbon_black_cloud/1.0.3/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..4ecd8ed454
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/audit/sample_event.json
@@ -0,0 +1,63 @@
+{
+ "@timestamp": "2022-02-10T16:04:30.263Z",
+ "agent": {
+ "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9",
+ "hostname": "docker-fleet-agent",
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "audit": {
+ "flagged": false,
+ "verbose": false
+ }
+ },
+ "client": {
+ "ip": "10.10.10.10",
+ "user": {
+ "id": "abc@demo.com"
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-14T11:48:30.094Z",
+ "dataset": "carbon_black_cloud.audit",
+ "id": "2122f8ce8xxxxxxxxxxxxx",
+ "ingested": "2022-04-14T11:48:31Z",
+ "kind": "event",
+ "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}",
+ "outcome": "success",
+ "reason": "Logged in successfully"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "organization": {
+ "name": "cb-xxxx-xxxx.com"
+ },
+ "related": {
+ "ip": [
+ "10.10.10.10"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-audit"
+ ]
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..3a6c8fc6df
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,587 @@
+---
+description: Pipeline for parsing Carbon Black Cloud Endpoint Events.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.create_time
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - rename:
+ field: json.action
+ target_field: event.action
+ ignore_missing: true
+ - rename:
+ field: json.event_id
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: json.event_description
+ target_field: event.reason
+ ignore_missing: true
+ - rename:
+ field: json.filemod_name
+ target_field: file.path
+ ignore_missing: true
+ - rename:
+ field: json.modload_name
+ target_field: dll.path
+ ignore_missing: true
+ - set:
+ field: network.transport
+ value: udp
+ if: ctx?.json?.netconn_protocol == "PROTO_UDP"
+ - set:
+ field: network.transport
+ value: tcp
+ if: ctx?.json?.netconn_protocol == "PROTO_TCP"
+ - set:
+ field: network.direction
+ value: inbound
+ if: ctx?.json?.netconn_inbound == true
+ - set:
+ field: network.direction
+ value: outbound
+ if: ctx?.json?.netconn_inbound == false
+ - rename:
+ field: json.remote_port
+ target_field: source.port
+ ignore_missing: true
+ - rename:
+ field: json.remote_ip
+ target_field: source.ip
+ ignore_missing: true
+ - rename:
+ field: json.netconn_domain
+ target_field: source.address
+ ignore_missing: true
+ - rename:
+ field: json.local_port
+ target_field: client.port
+ ignore_missing: true
+ - rename:
+ field: json.local_ip
+ target_field: client.ip
+ ignore_missing: true
+ - convert:
+ field: json.device_id
+ target_field: host.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.device_os == "WINDOWS"
+ - set:
+ field: host.os.type
+ value: linux
+ if: ctx?.json?.device_os == "LINUX"
+ - set:
+ field: host.os.type
+ value: macos
+ if: ctx?.json?.device_os == "MAC"
+ - rename:
+ field: json.device_name
+ target_field: host.hostname
+ ignore_missing: true
+ - grok:
+ field: host.hostname
+ patterns:
+ - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$'
+ ignore_missing: true
+ ignore_failure: true
+ - set:
+ field: host.name
+ value: "{{{host.hostname}}}"
+ ignore_failure: true
+ - rename:
+ field: json.device_group
+ target_field: host.os.family
+ ignore_missing: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_internal_ip}}}"
+ if: ctx?.json?.device_internal_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_external_ip}}}"
+ if: ctx?.json?.device_external_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - rename:
+ field: json.device_group
+ target_field: host.os.family
+ ignore_missing: true
+ - rename:
+ field: json.process_cmdline
+ target_field: process.command_line
+ ignore_missing: true
+ - rename:
+ field: json.process_guid
+ target_field: process.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.process_path
+ target_field: process.executable
+ ignore_missing: true
+ - rename:
+ field: json.process_pid
+ target_field: process.pid
+ ignore_missing: true
+ - rename:
+ field: json.parent_cmdline
+ target_field: process.parent.command_line
+ ignore_missing: true
+ - rename:
+ field: json.parent_guid
+ target_field: process.parent.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.parent_path
+ target_field: process.parent.executable
+ ignore_missing: true
+ - rename:
+ field: json.parent_pid
+ target_field: process.parent.pid
+ ignore_missing: true
+ - rename:
+ field: json.regmod_name
+ target_field: registry.path
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value:
+ - "{{{json.device_internal_ip}}}"
+ - "{{{json.device_external_ip}}}"
+ - "{{{json.netconn_proxy_ip}}}"
+ - "{{{source.ip}}}"
+ - "{{{client.ip}}}"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value:
+ - "{{{json.process_username}}}"
+ - "{{{json.childproc_username}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value:
+ - "{{{host.hostname}}}"
+ - "{{{user.domain}}}"
+ allow_duplicates: false
+ - script:
+ description: Dynamically map MD5 and SHA256 hash
+ lang: painless
+ source: |
+ void mapHashField(def ctx, def hashes, def key) {
+ for (hash in hashes) {
+ if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;}
+ if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;}
+ }
+ }
+ if (ctx.json?.process_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.process_hash, "process_hash");
+ }
+ if (ctx.json?.parent_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.parent_hash, "parent_hash");
+ }
+ if (ctx.json?.filemod_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.filemod_hash, "filemod_hash");
+ }
+ if (ctx.json?.childproc_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.childproc_hash, "childproc_hash");
+ }
+ if (ctx.json?.crossproc_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.crossproc_hash, "crossproc_hash");
+ }
+ if (ctx.json?.scriptload_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.scriptload_hash, "scriptload_hash");
+ }
+ - rename:
+ field: json.process_hash_md5
+ target_field: process.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.process_hash_sha256
+ target_field: process.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_md5
+ target_field: process.parent.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_sha256
+ target_field: process.parent.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.backend_timestamp
+ target_field: carbon_black_cloud.endpoint_event.backend.timestamp
+ ignore_missing: true
+ - rename:
+ field: json.device_timestamp
+ target_field: carbon_black_cloud.endpoint_event.device.timestamp
+ ignore_missing: true
+ - rename:
+ field: json.device_os
+ target_field: carbon_black_cloud.endpoint_event.device.os
+ ignore_missing: true
+ - rename:
+ field: json.childproc_name
+ target_field: carbon_black_cloud.endpoint_event.childproc.name
+ ignore_missing: true
+ - rename:
+ field: json.org_key
+ target_field: carbon_black_cloud.endpoint_event.organization_key
+ ignore_missing: true
+ - rename:
+ field: json.process_duration
+ target_field: carbon_black_cloud.endpoint_event.process.duration
+ ignore_missing: true
+ - foreach:
+ field: json.process_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.process_publisher
+ target_field: carbon_black_cloud.endpoint_event.process.publisher
+ ignore_missing: true
+ - rename:
+ field: json.process_reputation
+ target_field: carbon_black_cloud.endpoint_event.process.reputation
+ ignore_missing: true
+ - rename:
+ field: json.process_terminated
+ target_field: carbon_black_cloud.endpoint_event.process.terminated
+ ignore_missing: true
+ - rename:
+ field: json.process_username
+ target_field: carbon_black_cloud.endpoint_event.process.username
+ ignore_missing: true
+ - rename:
+ field: json.parent_reputation
+ target_field: carbon_black_cloud.endpoint_event.process.parent.reputation
+ ignore_missing: true
+ - rename:
+ field: json.target_cmdline
+ target_field: carbon_black_cloud.endpoint_event.target_cmdline
+ ignore_missing: true
+ - rename:
+ field: json.type
+ target_field: carbon_black_cloud.endpoint_event.type
+ ignore_missing: true
+
+# Mapping for endpoint.event.crossproc event type
+
+ - rename:
+ field: json.crossproc_action
+ target_field: carbon_black_cloud.endpoint_event.crossproc.action
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_api
+ target_field: carbon_black_cloud.endpoint_event.crossproc.api
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_guid
+ target_field: carbon_black_cloud.endpoint_event.crossproc.guid
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_name
+ target_field: carbon_black_cloud.endpoint_event.crossproc.name
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_target
+ target_field: carbon_black_cloud.endpoint_event.crossproc.target
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_reputation
+ target_field: carbon_black_cloud.endpoint_event.crossproc.reputation
+ ignore_missing: true
+ - foreach:
+ field: json.crossproc_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.crossproc_publisher
+ target_field: carbon_black_cloud.endpoint_event.crossproc.publisher
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.crossproc.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.crossproc_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.crossproc.hash.sha256
+ ignore_missing: true
+
+# Mapping for endpoint.event.filemod event type
+
+ - rename:
+ field: json.filemod_hash_md5
+ target_field: file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.filemod_hash_sha256
+ target_field: file.hash.sha256
+ ignore_missing: true
+
+# Mapping for endpoint.event.fileless_scriptload event type
+
+ - rename:
+ field: json.fileless_scriptload_cmdline
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline
+ ignore_missing: true
+ - rename:
+ field: json.fileless_scriptload_cmdline_length
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length
+ ignore_missing: true
+ - rename:
+ field: json.fileless_scriptload_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.fileless_scriptload_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256
+ ignore_missing: true
+
+# Mapping for endpoint.event.moduleload event type
+
+ - rename:
+ field: json.modload_md5
+ target_field: dll.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.modload_sha256
+ target_field: dll.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.modload_effective_reputation
+ target_field: carbon_black_cloud.endpoint_event.modload.effective_reputation
+ ignore_missing: true
+ - rename:
+ field: json.modload_count
+ target_field: carbon_black_cloud.endpoint_event.modload.count
+ ignore_missing: true
+ - foreach:
+ field: json.modload_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.modload_publisher
+ target_field: carbon_black_cloud.endpoint_event.modload.publisher
+ ignore_missing: true
+
+# Mapping for endpoint.event.netconn_proxy event type
+
+ - rename:
+ field: json.netconn_proxy_domain
+ target_field: carbon_black_cloud.endpoint_event.netconn.proxy.domain
+ ignore_missing: true
+ - rename:
+ field: json.netconn_proxy_port
+ target_field: carbon_black_cloud.endpoint_event.netconn.proxy.port
+ ignore_missing: true
+ - rename:
+ field: json.netconn_proxy_ip
+ target_field: carbon_black_cloud.endpoint_event.netconn.proxy.ip
+ ignore_missing: true
+
+# Mapping for endpoint.event.procstart event type
+
+ - rename:
+ field: json.childproc_guid
+ target_field: carbon_black_cloud.endpoint_event.childproc.guid
+ ignore_missing: true
+ - rename:
+ field: json.childproc_name
+ target_field: carbon_black_cloud.endpoint_event.childproc.name
+ ignore_missing: true
+ - rename:
+ field: json.childproc_pid
+ target_field: carbon_black_cloud.endpoint_event.childproc.pid
+ ignore_missing: true
+ - foreach:
+ field: json.childproc_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.childproc_publisher
+ target_field: carbon_black_cloud.endpoint_event.childproc.publisher
+ ignore_missing: true
+ - rename:
+ field: json.childproc_reputation
+ target_field: carbon_black_cloud.endpoint_event.childproc.reputation
+ ignore_missing: true
+ - rename:
+ field: json.childproc_username
+ target_field: carbon_black_cloud.endpoint_event.childproc.username
+ ignore_missing: true
+ - rename:
+ field: json.childproc_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.childproc.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.childproc_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.childproc.hash.sha256
+ ignore_missing: true
+
+# Mapping for NGAV endpoint.event.scriptload event type
+
+ - rename:
+ field: json.scriptload_name
+ target_field: carbon_black_cloud.endpoint_event.scriptload.name
+ ignore_missing: true
+ - foreach:
+ field: json.scriptload_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.scriptload_publisher
+ target_field: carbon_black_cloud.endpoint_event.scriptload.publisher
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_count
+ target_field: carbon_black_cloud.endpoint_event.scriptload.count
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_hash_md5
+ target_field: carbon_black_cloud.endpoint_event.scriptload.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_hash_sha256
+ target_field: carbon_black_cloud.endpoint_event.scriptload.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_effective_reputation
+ target_field: carbon_black_cloud.endpoint_event.scriptload.effective_reputation
+ ignore_missing: true
+ - rename:
+ field: json.scriptload_reputation
+ target_field: carbon_black_cloud.endpoint_event.scriptload.reputation
+ ignore_missing: true
+ - rename:
+ field: json.device_internal_ip
+ target_field: carbon_black_cloud.endpoint_event.device.internal_ip
+ ignore_missing: true
+ - rename:
+ field: json.device_external_ip
+ target_field: carbon_black_cloud.endpoint_event.device.external_ip
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ - append:
+ field: related.hash
+ value:
+ - "{{{process.hash.md5}}}"
+ - "{{{process.hash.sha256}}}"
+ - "{{{process.parent.hash.md5}}}"
+ - "{{{process.parent.hash.sha256}}}"
+ - "{{{file.hash.md5}}}"
+ - "{{{file.hash.sha256}}}"
+ - "{{{dll.hash.md5}}}"
+ - "{{{dll.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.childproc.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.childproc.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.crossproc.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256}}}"
+ - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.md5}}}"
+ - "{{{carbon_black_cloud.endpoint_event.scriptload.hash.sha256}}}"
+ allow_duplicates: false
+ - script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.endpoint_event
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.endpoint_event[m.getKey()] = m.getValue();
+ }
+ - remove:
+ field:
+ - json
+ - carbon_black_cloud.endpoint_event.create_time
+ - carbon_black_cloud.endpoint_event.device_id
+ - carbon_black_cloud.endpoint_event.process_hash
+ - carbon_black_cloud.endpoint_event.parent_hash
+ - carbon_black_cloud.endpoint_event.crossproc_hash
+ - carbon_black_cloud.endpoint_event.filemod_hash
+ - carbon_black_cloud.endpoint_event.childproc_hash
+ - carbon_black_cloud.endpoint_event.modload_hash
+ - carbon_black_cloud.endpoint_event.scriptload_hash
+ - carbon_black_cloud.endpoint_event.netconn_inbound
+ - carbon_black_cloud.endpoint_event.netconn_protocol
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+ - script:
+ description: Remove duplicate values
+ lang: painless
+ source: |
+ if (ctx?.related?.user != null) {
+ ctx.related.user = new HashSet(ctx.related.user)
+ }
+ if (ctx?.related?.hash != null) {
+ ctx.related.hash = new HashSet(ctx.related.hash)
+ }
+ if (ctx?.related?.ip != null) {
+ ctx.related.ip = new HashSet(ctx.related.ip)
+ }
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/base-fields.yml
new file mode 100755
index 0000000000..9b3253d2db
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.endpoint_event
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/ecs.yml b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/ecs.yml
new file mode 100755
index 0000000000..67b02cba96
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/ecs.yml
@@ -0,0 +1,200 @@
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
+- description: Port of the client.
+ name: client.port
+ type: long
+- description: MD5 hash.
+ name: dll.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: dll.hash.sha256
+ type: keyword
+- description: Full file path of the library.
+ name: dll.path
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: MD5 hash.
+ name: file.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: file.hash.sha256
+ type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: file.path
+ type: keyword
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: Host ip addresses.
+ name: host.ip
+ type: ip
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+ name: host.os.family
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: host.os.name
+ type: keyword
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.hash.sha256
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.parent.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.parent.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.parent.hash.sha256
+ type: keyword
+- description: Process id.
+ name: process.parent.pid
+ type: long
+- description: Process id.
+ name: process.pid
+ type: long
+- description: Full path, including hive, key and value
+ name: registry.path
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: user.domain
+ type: keyword
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/fields.yml
new file mode 100755
index 0000000000..199988ffb6
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/fields/fields.yml
@@ -0,0 +1,239 @@
+- name: carbon_black_cloud.endpoint_event
+ type: group
+ fields:
+ - name: alert_id
+ type: keyword
+ description: The ID of the Alert this event is associated with.
+ - name: backend
+ type: group
+ fields:
+ - name: timestamp
+ type: keyword
+ description: Time when the backend received the batch of events.
+ - name: childproc
+ type: group
+ fields:
+ - name: guid
+ type: keyword
+ description: Unique ID of the child process.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: Cryptographic MD5 hashes of the executable file backing the child process.
+ - name: sha256
+ type: keyword
+ description: Cryptographic SHA256 hashes of the executable file backing the child process.
+ - name: name
+ type: keyword
+ description: Full path to the target of the crossproc event on the device's local file system.
+ - name: pid
+ type: long
+ description: OS-reported Process ID of the child process.
+ - name: publisher
+ type: group
+ description: Signature entry for the childproc as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Carbon Black Cloud Reputation string for the childproc.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that the child process was started under.
+ - name: crossproc
+ type: group
+ fields:
+ - name: action
+ type: keyword
+ description: The action taken on cross-process.
+ - name: api
+ type: keyword
+ description: Name of the operating system API called by the actor process.
+ - name: guid
+ type: keyword
+ description: Unique ID of the cross process.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: Cryptographic MD5 hashes of the target of the crossproc event.
+ - name: sha256
+ type: keyword
+ description: Cryptographic SHA256 hashes of the target of the crossproc event.
+ - name: name
+ type: keyword
+ description: Full path to the target of the crossproc event on the device's local file system.
+ - name: publisher
+ type: group
+ description: Signature entry for the crossproc as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Carbon Black Cloud Reputation string for the crossproc.
+ - name: target
+ type: boolean
+ description: True if the process was the target of the cross-process event; false if the process was the actor.
+ - name: device
+ type: group
+ fields:
+ - name: os
+ type: keyword
+ description: Os name.
+ - name: timestamp
+ type: keyword
+ description: Time seen on sensor.
+ - name: internal_ip
+ type: ip
+ description: Internal IP of the device.
+ - name: external_ip
+ type: ip
+ description: External IP of the device.
+ - name: event_origin
+ type: keyword
+ description: Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard.
+ - name: fileless_scriptload
+ type: group
+ fields:
+ - name: cmdline
+ type: keyword
+ description: Deobfuscated script content run in a fileless context by the process.
+ - name: cmdline_length
+ type: keyword
+ description: Character count of the deobfuscated script content run in a fileless context.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: MD5 hash of the deobfuscated script content run by the process in a fileless context.
+ - name: sha256
+ type: keyword
+ description: SHA-256 hash of the deobfuscated script content run by the process in a fileless context.
+ - name: modload
+ type: group
+ fields:
+ - name: count
+ type: long
+ description: Count of modload events reported by the sensor since last initialization.
+ - name: effective_reputation
+ type: keyword
+ description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred.
+ - name: publisher
+ type: group
+ description: Signature entry for the moduleload as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: netconn
+ type: group
+ fields:
+ - name: proxy
+ type: group
+ fields:
+ - name: domain
+ type: keyword
+ description: DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address.
+ - name: ip
+ type: keyword
+ description: IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection.
+ - name: port
+ type: keyword
+ description: UDP/TCP port number associated with the "proxy" end of this network connection.
+ - name: organization_key
+ type: keyword
+ description: The organization key associated with the console instance.
+ - name: process
+ type: group
+ fields:
+ - name: duration
+ type: long
+ description: The time difference in seconds between the process start and process terminate event.
+ - name: parent
+ type: group
+ fields:
+ - name: reputation
+ type: keyword
+ description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: publisher
+ type: group
+ description: Signature entry for the process as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: terminated
+ type: boolean
+ description: True if process was terminated elase false.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that this process was started under.
+ - name: schema
+ type: long
+ description: The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way.
+ - name: scriptload
+ type: group
+ fields:
+ - name: count
+ type: long
+ description: Count of scriptload events across all processes reported by the sensor since last initialization.
+ - name: effective_reputation
+ type: keyword
+ description: Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred.
+ - name: hash
+ type: group
+ fields:
+ - name: md5
+ type: keyword
+ description: Cryptographic MD5 hashes of the target of the scriptload event.
+ - name: sha256
+ type: keyword
+ description: Cryptographic SHA256 hashes of the target of the scriptload event.
+ - name: name
+ type: keyword
+ description: Full path to the target of the crossproc event on the device's local file system.
+ - name: publisher
+ type: group
+ description: Signature entry for the scriptload as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Carbon Black Cloud Reputation string for the scriptload.
+ - name: sensor_action
+ type: keyword
+ description: The sensor action taken on event.
+ - name: target_cmdline
+ type: keyword
+ description: Process command line associated with the target process.
+ - name: type
+ type: keyword
+ description: The event type.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/manifest.yml b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/manifest.yml
new file mode 100755
index 0000000000..0f52e82022
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/manifest.yml
@@ -0,0 +1,48 @@
+title: Endpoint Event
+type: logs
+streams:
+ - input: aws-s3
+ title: Collect endpoint events from Carbon Black Cloud
+ description: Collect endpoint events from Carbon Black Cloud.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: bucket_list_prefix
+ type: text
+ title: Bucket Prefix
+ description: Prefix to apply for the list request to the S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch endpoint events from AWS S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-endpoint-event
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/sample_event.json b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/sample_event.json
new file mode 100755
index 0000000000..958377158a
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/endpoint_event/sample_event.json
@@ -0,0 +1,96 @@
+{
+ "process": {
+ "parent": {
+ "pid": 1684,
+ "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
+ "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
+ "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
+ "hash": {
+ "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5",
+ "md5": "03dd698da2671383c9b4f868c9931879"
+ }
+ },
+ "pid": 4880,
+ "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37",
+ "command_line": "\"route.exe\" print",
+ "executable": "c:\\windows\\system32\\route.exe",
+ "hash": {
+ "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6",
+ "md5": "2498272dc48446891182747428d02a30"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "carbon_black_cloud": {
+ "endpoint_event": {
+ "schema": 1,
+ "event_origin": "EDR",
+ "process": {
+ "duration": 2,
+ "parent": {
+ "reputation": "REP_RESOLVING"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_RESOLVING",
+ "terminated": true,
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "XXXXXXXX",
+ "backend": {
+ "timestamp": "2022-02-10 11:52:50 +0000 UTC"
+ },
+ "target_cmdline": "\"route.exe\" print",
+ "type": "endpoint.event.procend",
+ "device": {
+ "os": "WINDOWS",
+ "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC",
+ "external_ip": "67.43.156.12"
+ },
+ "sensor_action": "ACTION_ALLOW"
+ }
+ },
+ "host": {
+ "hostname": "client-cb2",
+ "id": "4034605",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "67.43.156.13"
+ ]
+ },
+ "event": {
+ "action": "ACTION_PROCESS_TERMINATE",
+ "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}"
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.endpoint_event",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "elastic_agent": {
+ "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5",
+ "snapshot": true,
+ "version": "8.0.0"
+ },
+ "input": {
+ "type": "aws-s3"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-endpoint-event"
+ ]
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs
new file mode 100755
index 0000000000..e02c596614
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,24 @@
+bucket_arn: {{bucket_arn}}
+number_of_workers: {{number_of_workers}}
+bucket_list_interval: {{interval}}
+access_key_id: {{access_key_id}}
+secret_access_key: {{secret_access_key}}
+bucket_list_prefix: {{bucket_list_prefix}}
+expand_event_list_from_field: Records
+{{#if proxy_url}}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..1699bc69c1
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,293 @@
+---
+description: Pipeline for parsing Carbon Black Cloud watchlist hit.
+processors:
+ - set:
+ field: ecs.version
+ value: '8.0.0'
+ - set:
+ field: event.kind
+ value: event
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.create_time
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - ISO8601
+ - rename:
+ field: json.severity
+ target_field: event.severity
+ ignore_missing: true
+ - convert:
+ field: json.device_id
+ target_field: host.id
+ type: string
+ ignore_missing: true
+ - set:
+ field: host.os.type
+ value: windows
+ if: ctx?.json?.device_os == "WINDOWS"
+ - set:
+ field: host.os.type
+ value: linux
+ if: ctx?.json?.device_os == "LINUX"
+ - set:
+ field: host.os.type
+ value: macos
+ if: ctx?.json?.device_os == "MAC"
+ - rename:
+ field: json.device_os_version
+ target_field: host.os.version
+ ignore_missing: true
+ - rename:
+ field: json.device_name
+ target_field: host.hostname
+ ignore_missing: true
+ - grok:
+ field: host.hostname
+ patterns:
+ - '^(%{DATA:user.domain})\\(%{GREEDYDATA:host.hostname})$'
+ ignore_missing: true
+ ignore_failure: true
+ - set:
+ field: host.name
+ value: "{{{host.hostname}}}"
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_internal_ip}}}"
+ if: ctx?.json?.device_internal_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - append:
+ field: host.ip
+ value: "{{{json.device_external_ip}}}"
+ if: ctx?.json?.device_external_ip != null
+ allow_duplicates: false
+ ignore_failure: true
+ - rename:
+ field: json.process_cmdline
+ target_field: process.command_line
+ ignore_missing: true
+ - rename:
+ field: json.process_guid
+ target_field: process.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.process_path
+ target_field: process.executable
+ ignore_missing: true
+ - rename:
+ field: json.process_pid
+ target_field: process.pid
+ ignore_missing: true
+ - rename:
+ field: json.parent_cmdline
+ target_field: process.parent.command_line
+ ignore_missing: true
+ - rename:
+ field: json.parent_guid
+ target_field: process.parent.entity_id
+ ignore_missing: true
+ - rename:
+ field: json.parent_path
+ target_field: process.parent.executable
+ ignore_missing: true
+ - rename:
+ field: json.parent_pid
+ target_field: process.parent.pid
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value:
+ - "{{{json.device_internal_ip}}}"
+ - "{{{json.device_external_ip}}}"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value:
+ - "{{{json.parent_username}}}"
+ - "{{{json.process_username}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value:
+ - "{{{host.hostname}}}"
+ - "{{{user.domain}}}"
+ allow_duplicates: false
+ - script:
+ description: Dynamically map MD5 and SHA256 hash
+ lang: painless
+ source: |
+ void mapHashField(def ctx, def hashes, def key) {
+ for (hash in hashes) {
+ if (hash.length() == 32) {ctx["json"][key + "_md5"] = hash;}
+ if (hash.length() == 64) {ctx["json"][key + "_sha256"] = hash;}
+ }
+ }
+ if (ctx.json?.process_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.process_hash, "process_hash");
+ }
+ if (ctx.json?.parent_hash instanceof List) {
+ mapHashField(ctx, ctx.json?.parent_hash, "parent_hash");
+ }
+ - rename:
+ field: json.process_hash_md5
+ target_field: process.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.process_hash_sha256
+ target_field: process.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_md5
+ target_field: process.parent.hash.md5
+ ignore_missing: true
+ - rename:
+ field: json.parent_hash_sha256
+ target_field: process.parent.hash.sha256
+ ignore_missing: true
+ - append:
+ field: related.hash
+ value:
+ - "{{{process.hash.md5}}}"
+ - "{{{process.hash.sha256}}}"
+ - "{{{process.parent.hash.md5}}}"
+ - "{{{process.parent.hash.sha256}}}"
+ allow_duplicates: false
+ - rename:
+ field: json.device_os
+ target_field: carbon_black_cloud.watchlist_hit.device.os
+ ignore_missing: true
+ - rename:
+ field: json.device_internal_ip
+ target_field: carbon_black_cloud.watchlist_hit.device.internal_ip
+ ignore_missing: true
+ - rename:
+ field: json.device_external_ip
+ target_field: carbon_black_cloud.watchlist_hit.device.external_ip
+ ignore_missing: true
+ - rename:
+ field: json.ioc_hit
+ target_field: carbon_black_cloud.watchlist_hit.ioc.hit
+ ignore_missing: true
+ - rename:
+ field: json.ioc_id
+ target_field: carbon_black_cloud.watchlist_hit.ioc.id
+ ignore_missing: true
+ - rename:
+ field: json.org_key
+ target_field: carbon_black_cloud.watchlist_hit.organization_key
+ ignore_missing: true
+ - foreach:
+ field: json.parent_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.parent_publisher
+ target_field: carbon_black_cloud.watchlist_hit.process.parent.publisher
+ ignore_missing: true
+ - rename:
+ field: json.parent_reputation
+ target_field: carbon_black_cloud.watchlist_hit.process.parent.reputation
+ ignore_missing: true
+ - rename:
+ field: json.parent_username
+ target_field: carbon_black_cloud.watchlist_hit.process.parent.username
+ ignore_missing: true
+ - foreach:
+ field: json.process_publisher
+ processor:
+ split:
+ field: _ingest._value.state
+ separator: " \\| "
+ ignore_missing: true
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: json.process_publisher
+ target_field: carbon_black_cloud.watchlist_hit.process.publisher
+ ignore_missing: true
+ - rename:
+ field: json.process_reputation
+ target_field: carbon_black_cloud.watchlist_hit.process.reputation
+ ignore_missing: true
+ - rename:
+ field: json.process_username
+ target_field: carbon_black_cloud.watchlist_hit.process.username
+ ignore_missing: true
+ - rename:
+ field: json.report_id
+ target_field: carbon_black_cloud.watchlist_hit.report.id
+ ignore_missing: true
+ - rename:
+ field: json.report_name
+ target_field: carbon_black_cloud.watchlist_hit.report.name
+ ignore_missing: true
+ - rename:
+ field: json.report_tags
+ target_field: carbon_black_cloud.watchlist_hit.report.tags
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean dropEmptyFields(Object object) {
+ if (object == null || object == "") {
+ return true;
+ } else if (object instanceof Map) {
+ ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+ return (((Map) object).size() == 0);
+ } else if (object instanceof List) {
+ ((List) object).removeIf(value -> dropEmptyFields(value));
+ return (((List) object).length == 0);
+ }
+ return false;
+ }
+ dropEmptyFields(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ - script:
+ description: Adds all the remaining fields in fields under carbon_black_cloud.watchlist_hit
+ lang: painless
+ if: ctx?.json != null
+ source: |
+ for (Map.Entry m : ctx.json.entrySet()) {
+ ctx.carbon_black_cloud.watchlist_hit[m.getKey()] = m.getValue();
+ }
+ - remove:
+ field:
+ - json
+ - carbon_black_cloud.watchlist_hit.create_time
+ - carbon_black_cloud.watchlist_hit.device_id
+ - carbon_black_cloud.watchlist_hit.process_hash
+ - carbon_black_cloud.watchlist_hit.parent_hash
+ ignore_missing: true
+ - script:
+ description: Remove duplicate values
+ lang: painless
+ source: |
+ if (ctx?.related?.user != null) {
+ ctx.related.user = new HashSet(ctx.related.user)
+ }
+ if (ctx?.related?.hash != null) {
+ ctx.related.hash = new HashSet(ctx.related.hash)
+ }
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{_ingest.on_failure_message}}}"
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/base-fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/base-fields.yml
new file mode 100755
index 0000000000..89df536282
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module.
+ value: carbon_black_cloud
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset.
+ value: carbon_black_cloud.watchlist_hit
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/ecs.yml b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/ecs.yml
new file mode 100755
index 0000000000..dd43f31d74
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/ecs.yml
@@ -0,0 +1,134 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: |-
+ Hostname of the host.
+ It normally contains what the `hostname` command returns on the host machine.
+ name: host.hostname
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: Host ip addresses.
+ name: host.ip
+ type: ip
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: |-
+ Use the `os.type` field to categorize the operating system into one of the broad commercial families.
+ One of these following values should be used (lowercase): linux, macos, unix, windows.
+ If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.
+ name: host.os.type
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.hash.sha256
+ type: keyword
+- description: |-
+ Full command line that started the process, including the absolute path to the executable, and all arguments.
+ Some arguments may be filtered to protect sensitive information.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.command_line
+ type: wildcard
+- description: |-
+ Unique identifier for the process.
+ The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+ Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+ name: process.parent.entity_id
+ type: keyword
+- description: Absolute path to the process executable.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.executable
+ type: keyword
+- description: MD5 hash.
+ name: process.parent.hash.md5
+ type: keyword
+- description: SHA256 hash.
+ name: process.parent.hash.sha256
+ type: keyword
+- description: Process id.
+ name: process.parent.pid
+ type: long
+- description: Process id.
+ name: process.pid
+ type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: user.domain
+ type: keyword
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/fields.yml b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/fields.yml
new file mode 100755
index 0000000000..25cb25005e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/fields/fields.yml
@@ -0,0 +1,89 @@
+- name: carbon_black_cloud.watchlist_hit
+ type: group
+ fields:
+ - name: device
+ type: group
+ fields:
+ - name: os
+ type: keyword
+ description: OS Type of device (Windows/OSX/Linux).
+ - name: internal_ip
+ type: ip
+ description: Internal IP of the device.
+ - name: external_ip
+ type: ip
+ description: External IP of the device.
+ - name: ioc
+ type: group
+ fields:
+ - name: field
+ type: keyword
+ description: Field the IOC hit contains.
+ - name: hit
+ type: keyword
+ description: IOC field value, or IOC query that matches.
+ - name: id
+ type: keyword
+ description: ID of the IOC that caused the hit.
+ - name: organization_key
+ type: keyword
+ description: The organization key associated with the console instance.
+ - name: process
+ type: group
+ fields:
+ - name: parent
+ type: group
+ fields:
+ - name: publisher
+ type: group
+ description: signature entry for the process as reported by the endpoint.
+ fields:
+ - name: name
+ type: keyword
+ description: The name of the publisher.
+ - name: state
+ type: keyword
+ description: The state of the publisher.
+ - name: reputation
+ type: keyword
+ description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that this process was started under.
+ - name: publisher
+ type: group
+ description: signature entry for the process as reported by the endpoint.
+ - name: reputation
+ type: keyword
+ description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud.
+ - name: username
+ type: keyword
+ description: The username associated with the user context that this process was started under.
+ - name: report
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: ID of the watchlist report(s) that detected a hit on the process.
+ - name: name
+ type: keyword
+ description: Name of the watchlist report(s) that detected a hit on the process.
+ - name: tags
+ type: keyword
+ description: List of tags associated with the report(s) that detected a hit on the process.
+ - name: schema
+ type: long
+ description: Schema version.
+ - name: type
+ type: keyword
+ description: The watchlist hit type.
+ - name: watchlists
+ type: group
+ description: List of watchlists that contain the report of the ioc hit.
+ fields:
+ - name: id
+ type: keyword
+ description: The ID of the watchlists.
+ - name: name
+ type: keyword
+ description: The name of the watchlists.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/manifest.yml b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/manifest.yml
new file mode 100755
index 0000000000..7782458210
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/manifest.yml
@@ -0,0 +1,48 @@
+title: Watchlist Hit
+type: logs
+streams:
+ - input: aws-s3
+ title: Collect watchlist hit from Carbon Black Cloud
+ description: Collect watchlist hit from Carbon Black Cloud.
+ template_path: aws-s3.yml.hbs
+ vars:
+ - name: bucket_list_prefix
+ type: text
+ title: Bucket Prefix
+ description: Prefix to apply for the list request to the S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Interval to fetch watchlist hit from AWS S3 bucket.
+ multi: false
+ required: true
+ show_user: true
+ default: 1m
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - carbon_black_cloud-watchlist-hit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`.
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/sample_event.json b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/sample_event.json
new file mode 100755
index 0000000000..0a5e6c32fb
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/data_stream/watchlist_hit/sample_event.json
@@ -0,0 +1,130 @@
+{
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-watchlist-hit"
+ ],
+ "input": {
+ "type": "aws-s3"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ },
+ "agent": {
+ "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "process": {
+ "parent": {
+ "pid": 4076,
+ "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1",
+ "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"",
+ "executable": "c:\\windows\\syswow64\\cmd.exe",
+ "hash": {
+ "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22",
+ "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b"
+ }
+ },
+ "pid": 7516,
+ "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6",
+ "command_line": "sc query aella_conf ",
+ "executable": "c:\\windows\\syswow64\\sc.exe",
+ "hash": {
+ "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2",
+ "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8"
+ }
+ },
+ "carbon_black_cloud": {
+ "watchlist_hit": {
+ "schema": 1,
+ "process": {
+ "parent": {
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "xxxxxxxx",
+ "report": {
+ "name": "Discovery - System Service Discovery Detected",
+ "id": "CFnKBKLTv6hUkBGFobRdg-565571",
+ "tags": [
+ "attack",
+ "attackframework",
+ "threathunting",
+ "hunting",
+ "t1007",
+ "recon",
+ "discovery",
+ "windows"
+ ]
+ },
+ "watchlists": [
+ {
+ "name": "ATT\u0026CK Framework",
+ "id": "P5f9AW29TGmTOvBW156Cig"
+ }
+ ],
+ "type": "watchlist.hit",
+ "ioc": {
+ "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true",
+ "id": "565571-0"
+ },
+ "device": {
+ "internal_ip": "10.10.156.12",
+ "external_ip": "67.43.156.12",
+ "os": "WINDOWS"
+ }
+ }
+ },
+ "host": {
+ "hostname": "Carbonblack-win1",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "10.10.156.12",
+ "67.43.156.12"
+ ],
+ "id": "4467271"
+ },
+ "event": {
+ "kind": "event",
+ "severity": 3,
+ "agent_id_status": "verified",
+ "ingested": "2022-02-17T07:23:31Z",
+ "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ }
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/docs/README.md b/packages/carbon_black_cloud/1.0.3/docs/README.md
new file mode 100755
index 0000000000..62c93e153b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/docs/README.md
@@ -0,0 +1,1047 @@
+# VMware Carbon Black Cloud
+
+The VMware Carbon Black Cloud integration collects and parses data from the Carbon Black Cloud REST APIs and AWS S3 bucket.
+
+## Compatibility
+
+This module has been tested against `Alerts API (v6)`, `Audit Log Events (v3)` and `Vulnerability Assessment (v1)`.
+
+## Requirements
+
+### In order to ingest data from the AWS S3 bucket you must:
+1. Configure the [Data Forwarder](https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-F68F63DD-2271-4088-82C9-71D675CD0535.html) to ingest data into an AWS S3 bucket.
+2. Create an [AWS Access Keys and Secret Access Keys](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
+
+
+### In order to ingest data from the APIs you must generate API keys and API Secret Keys:
+1. In Carbon Black Cloud, On the left navigation pane, click **Settings > API Access**.
+2. Click Add API Key.
+3. Give the API key a unique name and description.
+ - Select the appropriate access level type. Please check required Access Levels & Permissions for integration in below table.
+ **Note:** To use a custom access level, select Custom from the Access Level type drop-down menu and specify the Custom Access Level.
+ - Optional: Add authorized IP addresses.
+ - You can restrict the use of an API key to a specific set of IP addresses for security reasons.
+ **Note:** Authorized IP addresses are not available with Custom keys.
+4. To apply the changes, click Save.
+
+#### Access Levels & Permissions
+- The following tables indicate which type of API Key access level is required. If the type is Custom then the permission that is required will also be included.
+
+| Data stream | Access Level and Permissions |
+| --------------------------- | ------------------------------------------ |
+| Audit | API |
+| Alert | Custom orgs.alerts (Read) |
+| Asset Vulnerability Summary | Custom vulnerabilityAssessment.data (Read) |
+
+
+## Note
+
+- The alert data stream has a 15-minute delay to ensure that no occurrences are missed.
+
+## Logs
+
+### Audit
+
+This is the `audit` dataset.
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2022-02-10T16:04:30.263Z",
+ "agent": {
+ "ephemeral_id": "6472e86c-fc7c-478a-a6fd-12ed19fe05c9",
+ "hostname": "docker-fleet-agent",
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "audit": {
+ "flagged": false,
+ "verbose": false
+ }
+ },
+ "client": {
+ "ip": "10.10.10.10",
+ "user": {
+ "id": "abc@demo.com"
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-14T11:48:30.094Z",
+ "dataset": "carbon_black_cloud.audit",
+ "id": "2122f8ce8xxxxxxxxxxxxx",
+ "ingested": "2022-04-14T11:48:31Z",
+ "kind": "event",
+ "original": "{\"clientIp\":\"10.10.10.10\",\"description\":\"Logged in successfully\",\"eventId\":\"2122f8ce8xxxxxxxxxxxxx\",\"eventTime\":1644509070263,\"flagged\":false,\"loginName\":\"abc@demo.com\",\"orgName\":\"cb-xxxx-xxxx.com\",\"requestUrl\":null,\"verbose\":false}",
+ "outcome": "success",
+ "reason": "Logged in successfully"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "organization": {
+ "name": "cb-xxxx-xxxx.com"
+ },
+ "related": {
+ "ip": [
+ "10.10.10.10"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-audit"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.audit.flagged | true if action is failed otherwise false. | boolean |
+| carbon_black_cloud.audit.verbose | true if verbose audit log otherwise false. | boolean |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.user.id | Unique identifier of the user. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| organization.name | Organization name. | keyword |
+| organization.name.text | Multi-field of `organization.name`. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+
+
+### Alert
+
+This is the `alert` dataset.
+
+An example event for `alert` looks as following:
+
+```json
+{
+ "@timestamp": "2020-11-17T22:05:13.000Z",
+ "agent": {
+ "ephemeral_id": "56053d91-103c-4c77-8f15-0a1006a80102",
+ "hostname": "docker-fleet-agent",
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "alert": {
+ "category": "warning",
+ "device": {
+ "external_ip": "81.2.69.143",
+ "internal_ip": "81.2.69.144",
+ "location": "UNKNOWN",
+ "os": "WINDOWS"
+ },
+ "last_update_time": "2020-11-17T22:05:13Z",
+ "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
+ "organization_key": "ABCD6X3T",
+ "policy": {
+ "applied": "APPLIED",
+ "id": 6997287,
+ "name": "Standard"
+ },
+ "product_id": "0x5406",
+ "product_name": "U3 Cruzer Micro",
+ "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
+ "run_state": "DID_NOT_RUN",
+ "sensor_action": "DENY",
+ "serial_number": "0875920EF7C2A304",
+ "target_value": "MEDIUM",
+ "threat_cause": {
+ "cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
+ "threat_category": "NON_MALWARE",
+ "vector": "REMOVABLE_MEDIA"
+ },
+ "threat_id": "t5678",
+ "type": "DEVICE_CONTROL",
+ "vendor_id": "0x0781",
+ "vendor_name": "SanDisk",
+ "workflow": {
+ "changed_by": "Carbon Black",
+ "last_update_time": "2020-11-17T22:02:16Z",
+ "state": "OPEN"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.alert",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-14T11:46:13.154Z",
+ "dataset": "carbon_black_cloud.alert",
+ "end": "2020-11-17T22:02:16Z",
+ "id": "test1",
+ "ingested": "2022-04-14T11:46:14Z",
+ "kind": "alert",
+ "original": "{\"alert_url\":\"https://defense-eap01.conferdeploy.net/alerts?orgId=1889976\",\"category\":\"WARNING\",\"create_time\":\"2020-11-17T22:05:13Z\",\"device_external_ip\":\"81.2.69.143\",\"device_id\":2,\"device_internal_ip\":\"81.2.69.144\",\"device_location\":\"UNKNOWN\",\"device_name\":\"DESKTOP-002\",\"device_os\":\"WINDOWS\",\"device_os_version\":\"Windows 10 x64\",\"device_username\":\"test34@demo.com\",\"first_event_time\":\"2020-11-17T22:02:16Z\",\"id\":\"test1\",\"last_event_time\":\"2020-11-17T22:02:16Z\",\"last_update_time\":\"2020-11-17T22:05:13Z\",\"legacy_alert_id\":\"C8EB7306-AF26-4A9A-B677-814B3AF69720\",\"org_key\":\"ABCD6X3T\",\"policy_applied\":\"APPLIED\",\"policy_id\":6997287,\"policy_name\":\"Standard\",\"product_id\":\"0x5406\",\"product_name\":\"U3 Cruzer Micro\",\"reason\":\"Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.\",\"reason_code\":\"6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC\",\"run_state\":\"DID_NOT_RUN\",\"sensor_action\":\"DENY\",\"serial_number\":\"0875920EF7C2A304\",\"severity\":3,\"target_value\":\"MEDIUM\",\"threat_cause_cause_event_id\":\"FCEE2AF0-D832-4C9F-B988-F11B46028C9E\",\"threat_cause_threat_category\":\"NON_MALWARE\",\"threat_cause_vector\":\"REMOVABLE_MEDIA\",\"threat_id\":\"t5678\",\"type\":\"DEVICE_CONTROL\",\"vendor_id\":\"0x0781\",\"vendor_name\":\"SanDisk\",\"workflow\":{\"changed_by\":\"Carbon Black\",\"comment\":\"\",\"last_update_time\":\"2020-11-17T22:02:16Z\",\"remediation\":\"\",\"state\":\"OPEN\"}}",
+ "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
+ "severity": 3,
+ "start": "2020-11-17T22:02:16Z",
+ "url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976"
+ },
+ "host": {
+ "hostname": "DESKTOP-002",
+ "id": "2",
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "name": "DESKTOP-002",
+ "os": {
+ "type": "windows",
+ "version": "Windows 10 x64"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-002"
+ ],
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.143"
+ ],
+ "user": [
+ "test34@demo.com"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-alert"
+ ],
+ "user": {
+ "name": "test34@demo.com"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.alert.blocked_threat_category | The category of threat which we were able to take action on. | keyword |
+| carbon_black_cloud.alert.category | The category of the alert. | keyword |
+| carbon_black_cloud.alert.count | | long |
+| carbon_black_cloud.alert.created_by_event_id | Event identifier that initiated the alert. | keyword |
+| carbon_black_cloud.alert.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.alert.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.alert.device.location | The Location of device. | keyword |
+| carbon_black_cloud.alert.device.os | OS of the device. | keyword |
+| carbon_black_cloud.alert.document_guid | Unique ID of document. | keyword |
+| carbon_black_cloud.alert.ioc.field | The field the indicator of comprise (IOC) hit contains. | keyword |
+| carbon_black_cloud.alert.ioc.hit | IOC field value or IOC query that matches. | keyword |
+| carbon_black_cloud.alert.ioc.id | The identifier of the IOC that cause the hit. | keyword |
+| carbon_black_cloud.alert.kill_chain_status | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. | keyword |
+| carbon_black_cloud.alert.last_update_time | The last time the alert was updated as an ISO 8601 UTC timestamp. | date |
+| carbon_black_cloud.alert.legacy_alert_id | The legacy identifier for the alert. | keyword |
+| carbon_black_cloud.alert.not_blocked_threat_category | Other potentially malicious activity involved in the threat that we weren't able to take action on (either due to policy config, or not having a relevant rule). | keyword |
+| carbon_black_cloud.alert.notes_present | Indicates if notes are associated with the threat_id. | boolean |
+| carbon_black_cloud.alert.organization_key | The unique identifier for the organization associated with the alert. | keyword |
+| carbon_black_cloud.alert.policy.applied | Whether a policy was applied. | keyword |
+| carbon_black_cloud.alert.policy.id | The identifier for the policy associated with the device at the time of the alert. | long |
+| carbon_black_cloud.alert.policy.name | The name of the policy associated with the device at the time of the alert. | keyword |
+| carbon_black_cloud.alert.product_id | The hexadecimal id of the USB device's product. | keyword |
+| carbon_black_cloud.alert.product_name | The name of the USB device’s vendor. | keyword |
+| carbon_black_cloud.alert.reason_code | Shorthand enum for the full-text reason. | keyword |
+| carbon_black_cloud.alert.report.id | The identifier of the report that contains the IOC. | keyword |
+| carbon_black_cloud.alert.report.name | The name of the report that contains the IOC. | keyword |
+| carbon_black_cloud.alert.run_state | Whether the threat in the alert ran. | keyword |
+| carbon_black_cloud.alert.sensor_action | The action taken by the sensor, according to the rule of the policy. | keyword |
+| carbon_black_cloud.alert.serial_number | The serial number of the USB device. | keyword |
+| carbon_black_cloud.alert.status | status of alert. | keyword |
+| carbon_black_cloud.alert.tags | Tags associated with the alert. | keyword |
+| carbon_black_cloud.alert.target_value | The priority of the device assigned by the policy. | keyword |
+| carbon_black_cloud.alert.threat_activity.c2 | Whether the alert involved a command and control (c2) server. | keyword |
+| carbon_black_cloud.alert.threat_activity.dlp | Whether the alert involved data loss prevention (DLP). | keyword |
+| carbon_black_cloud.alert.threat_activity.phish | Whether the alert involved phishing. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.md5 | MD5 of the threat cause actor. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.name | The name can be one of the following: process commandline, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.process_pid | Process identifier (PID) of the actor process. | keyword |
+| carbon_black_cloud.alert.threat_cause.actor.sha256 | SHA256 of the threat cause actor. | keyword |
+| carbon_black_cloud.alert.threat_cause.cause_event_id | ID of the Event that triggered the threat. | keyword |
+| carbon_black_cloud.alert.threat_cause.process.guid | The global unique identifier of the process. | keyword |
+| carbon_black_cloud.alert.threat_cause.process.parent.guid | The global unique identifier of the process. | keyword |
+| carbon_black_cloud.alert.threat_cause.reputation | Reputation of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_cause.threat_category | Category of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_cause.vector | The source of the threat cause. | keyword |
+| carbon_black_cloud.alert.threat_id | The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | keyword |
+| carbon_black_cloud.alert.threat_indicators.process_name | Process name associated with threat. | keyword |
+| carbon_black_cloud.alert.threat_indicators.sha256 | Sha256 associated with threat. | keyword |
+| carbon_black_cloud.alert.threat_indicators.ttps | Tactics, techniques and procedures associated with threat. | keyword |
+| carbon_black_cloud.alert.type | Type of alert. | keyword |
+| carbon_black_cloud.alert.vendor_id | The hexadecimal id of the USB device's vendor. | keyword |
+| carbon_black_cloud.alert.vendor_name | The name of the USB device’s vendor. | keyword |
+| carbon_black_cloud.alert.watchlists.id | The identifier of watchlist. | keyword |
+| carbon_black_cloud.alert.watchlists.name | The name of the watchlist. | keyword |
+| carbon_black_cloud.alert.workflow.changed_by | The name of user who changed the workflow. | keyword |
+| carbon_black_cloud.alert.workflow.comment | Comment associated with workflow. | keyword |
+| carbon_black_cloud.alert.workflow.last_update_time | The last update time of workflow. | date |
+| carbon_black_cloud.alert.workflow.remediation | N/A | keyword |
+| carbon_black_cloud.alert.workflow.state | The state of workflow. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+
+
+### Endpoint Event
+
+This is the `endpoint_event` dataset.
+
+An example event for `endpoint_event` looks as following:
+
+```json
+{
+ "process": {
+ "parent": {
+ "pid": 1684,
+ "entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
+ "command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
+ "executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
+ "hash": {
+ "sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5",
+ "md5": "03dd698da2671383c9b4f868c9931879"
+ }
+ },
+ "pid": 4880,
+ "entity_id": "XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37",
+ "command_line": "\"route.exe\" print",
+ "executable": "c:\\windows\\system32\\route.exe",
+ "hash": {
+ "sha256": "9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6",
+ "md5": "2498272dc48446891182747428d02a30"
+ }
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "carbon_black_cloud": {
+ "endpoint_event": {
+ "schema": 1,
+ "event_origin": "EDR",
+ "process": {
+ "duration": 2,
+ "parent": {
+ "reputation": "REP_RESOLVING"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_RESOLVING",
+ "terminated": true,
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "XXXXXXXX",
+ "backend": {
+ "timestamp": "2022-02-10 11:52:50 +0000 UTC"
+ },
+ "target_cmdline": "\"route.exe\" print",
+ "type": "endpoint.event.procend",
+ "device": {
+ "os": "WINDOWS",
+ "timestamp": "2022-02-10 11:51:35.0684097 +0000 UTC",
+ "external_ip": "67.43.156.12"
+ },
+ "sensor_action": "ACTION_ALLOW"
+ }
+ },
+ "host": {
+ "hostname": "client-cb2",
+ "id": "4034605",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "67.43.156.13"
+ ]
+ },
+ "event": {
+ "action": "ACTION_PROCESS_TERMINATE",
+ "orignal": "{\"type\":\"endpoint.event.procend\",\"process_guid\":\"XXXXXXXX-003d902d-00001310-00000000-1d81e748c4adb37\",\"parent_guid\":\"XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62\",\"backend_timestamp\":\"2022-02-10 11:52:50 +0000 UTC\",\"org_key\":\"XXXXXXXX\",\"device_id\":\"4034605\",\"device_name\":\"client-cb2\",\"device_external_ip\":\"67.43.156.13\",\"device_os\":\"WINDOWS\",\"device_group\":\"\",\"action\":\"ACTION_PROCESS_TERMINATE\",\"schema\":1,\"device_timestamp\":\"2022-02-10 11:51:35.0684097 +0000 UTC\",\"process_terminated\":true,\"process_duration\":2,\"process_reputation\":\"REP_RESOLVING\",\"parent_reputation\":\"REP_RESOLVING\",\"process_pid\":4880,\"parent_pid\":1684,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_path\":\"c:\\\\windows\\\\system32\\\\route.exe\",\"parent_path\":\"c:\\\\windowsazure\\\\guestagent_2.7.41491.1010_2021-05-11_233023\\\\guestagent\\\\windowsazureguestagent.exe\",\"process_hash\":[\"2498272dc48446891182747428d02a30\",\"9e9c7696859b94b1c33a532fa4d5c648226cf3361121dd899e502b8949fb11a6\"],\"parent_hash\":[\"03dd698da2671383c9b4f868c9931879\",\"44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5\"],\"process_cmdline\":\"\\\"route.exe\\\" print\",\"parent_cmdline\":\"C:\\\\WindowsAzure\\\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\\\GuestAgent\\\\WindowsAzureGuestAgent.exe\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"sensor_action\":\"ACTION_ALLOW\",\"event_origin\":\"EDR\",\"target_cmdline\":\"\\\"route.exe\\\" print\"}"
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.endpoint_event",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "elastic_agent": {
+ "id": "3b20ea47-9610-412d-97e3-47cd19b7e4d5",
+ "snapshot": true,
+ "version": "8.0.0"
+ },
+ "input": {
+ "type": "aws-s3"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-endpoint-event"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.endpoint_event.alert_id | The ID of the Alert this event is associated with. | keyword |
+| carbon_black_cloud.endpoint_event.backend.timestamp | Time when the backend received the batch of events. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.guid | Unique ID of the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.hash.md5 | Cryptographic MD5 hashes of the executable file backing the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.hash.sha256 | Cryptographic SHA256 hashes of the executable file backing the child process. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.pid | OS-reported Process ID of the child process. | long |
+| carbon_black_cloud.endpoint_event.childproc.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.reputation | Carbon Black Cloud Reputation string for the childproc. | keyword |
+| carbon_black_cloud.endpoint_event.childproc.username | The username associated with the user context that the child process was started under. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.action | The action taken on cross-process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.api | Name of the operating system API called by the actor process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.guid | Unique ID of the cross process. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.hash.md5 | Cryptographic MD5 hashes of the target of the crossproc event. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.hash.sha256 | Cryptographic SHA256 hashes of the target of the crossproc event. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.reputation | Carbon Black Cloud Reputation string for the crossproc. | keyword |
+| carbon_black_cloud.endpoint_event.crossproc.target | True if the process was the target of the cross-process event; false if the process was the actor. | boolean |
+| carbon_black_cloud.endpoint_event.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.endpoint_event.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.endpoint_event.device.os | Os name. | keyword |
+| carbon_black_cloud.endpoint_event.device.timestamp | Time seen on sensor. | keyword |
+| carbon_black_cloud.endpoint_event.event_origin | Indicates which product the event came from. "EDR" indicates the event originated from Enterprise EDR. "NGAV" indicates the event originated from Endpoint Standard. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline | Deobfuscated script content run in a fileless context by the process. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.cmdline_length | Character count of the deobfuscated script content run in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.md5 | MD5 hash of the deobfuscated script content run by the process in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.fileless_scriptload.hash.sha256 | SHA-256 hash of the deobfuscated script content run by the process in a fileless context. | keyword |
+| carbon_black_cloud.endpoint_event.modload.count | Count of modload events reported by the sensor since last initialization. | long |
+| carbon_black_cloud.endpoint_event.modload.effective_reputation | Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred. | keyword |
+| carbon_black_cloud.endpoint_event.modload.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.modload.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.domain | DNS name associated with the "proxy" end of this network connection; may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.ip | IPv4 or IPv6 address in string format associated with the "proxy" end of this network connection. | keyword |
+| carbon_black_cloud.endpoint_event.netconn.proxy.port | UDP/TCP port number associated with the "proxy" end of this network connection. | keyword |
+| carbon_black_cloud.endpoint_event.organization_key | The organization key associated with the console instance. | keyword |
+| carbon_black_cloud.endpoint_event.process.duration | The time difference in seconds between the process start and process terminate event. | long |
+| carbon_black_cloud.endpoint_event.process.parent.reputation | Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.endpoint_event.process.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.process.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.endpoint_event.process.terminated | True if process was terminated elase false. | boolean |
+| carbon_black_cloud.endpoint_event.process.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.endpoint_event.schema | The schema version. The current schema version is "1". This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. | long |
+| carbon_black_cloud.endpoint_event.scriptload.count | Count of scriptload events across all processes reported by the sensor since last initialization. | long |
+| carbon_black_cloud.endpoint_event.scriptload.effective_reputation | Effective reputation(s) of the script file(s) loaded at process launch; applied by the sensor when the event occurred. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.hash.md5 | Cryptographic MD5 hashes of the target of the scriptload event. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.hash.sha256 | Cryptographic SHA256 hashes of the target of the scriptload event. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.name | Full path to the target of the crossproc event on the device's local file system. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.endpoint_event.scriptload.reputation | Carbon Black Cloud Reputation string for the scriptload. | keyword |
+| carbon_black_cloud.endpoint_event.sensor_action | The sensor action taken on event. | keyword |
+| carbon_black_cloud.endpoint_event.target_cmdline | Process command line associated with the target process. | keyword |
+| carbon_black_cloud.endpoint_event.type | The event type. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| dll.hash.md5 | MD5 hash. | keyword |
+| dll.hash.sha256 | SHA256 hash. | keyword |
+| dll.path | Full file path of the library. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| registry.path | Full path, including hive, key and value | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+
+
+### Watchlist Hit
+
+This is the `watchlist_hit` dataset.
+
+An example event for `watchlist_hit` looks as following:
+
+```json
+{
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-watchlist-hit"
+ ],
+ "input": {
+ "type": "aws-s3"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ },
+ "agent": {
+ "id": "e0d5f508-9616-400f-b26b-bb1aa6638b80",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "process": {
+ "parent": {
+ "pid": 4076,
+ "entity_id": "7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1",
+ "command_line": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc query aella_conf | findstr RUNNING \u003e null\"",
+ "executable": "c:\\windows\\syswow64\\cmd.exe",
+ "hash": {
+ "sha256": "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22",
+ "md5": "d0fce3afa6aa1d58ce9fa336cc2b675b"
+ }
+ },
+ "pid": 7516,
+ "entity_id": "7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6",
+ "command_line": "sc query aella_conf ",
+ "executable": "c:\\windows\\syswow64\\sc.exe",
+ "hash": {
+ "sha256": "4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2",
+ "md5": "d9d7684b8431a0d10d0e76fe9f5ffec8"
+ }
+ },
+ "carbon_black_cloud": {
+ "watchlist_hit": {
+ "schema": 1,
+ "process": {
+ "parent": {
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "publisher": [
+ {
+ "name": "Microsoft Windows",
+ "state": [
+ "FILE_SIGNATURE_STATE_SIGNED",
+ "FILE_SIGNATURE_STATE_VERIFIED",
+ "FILE_SIGNATURE_STATE_TRUSTED",
+ "FILE_SIGNATURE_STATE_OS",
+ "FILE_SIGNATURE_STATE_CATALOG_SIGNED"
+ ]
+ }
+ ],
+ "reputation": "REP_WHITE",
+ "username": "NT AUTHORITY\\SYSTEM"
+ },
+ "organization_key": "xxxxxxxx",
+ "report": {
+ "name": "Discovery - System Service Discovery Detected",
+ "id": "CFnKBKLTv6hUkBGFobRdg-565571",
+ "tags": [
+ "attack",
+ "attackframework",
+ "threathunting",
+ "hunting",
+ "t1007",
+ "recon",
+ "discovery",
+ "windows"
+ ]
+ },
+ "watchlists": [
+ {
+ "name": "ATT\u0026CK Framework",
+ "id": "P5f9AW29TGmTOvBW156Cig"
+ }
+ ],
+ "type": "watchlist.hit",
+ "ioc": {
+ "hit": "((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true",
+ "id": "565571-0"
+ },
+ "device": {
+ "internal_ip": "10.10.156.12",
+ "external_ip": "67.43.156.12",
+ "os": "WINDOWS"
+ }
+ }
+ },
+ "host": {
+ "hostname": "Carbonblack-win1",
+ "os": {
+ "type": "windows"
+ },
+ "ip": [
+ "10.10.156.12",
+ "67.43.156.12"
+ ],
+ "id": "4467271"
+ },
+ "event": {
+ "kind": "event",
+ "severity": 3,
+ "agent_id_status": "verified",
+ "ingested": "2022-02-17T07:23:31Z",
+ "original": "{\"schema\":1,\"create_time\":\"2022-02-10T23:54:32.449Z\",\"device_external_ip\":\"205.234.30.196\",\"device_id\":4467271,\"device_internal_ip\":\"10.33.4.214\",\"device_name\":\"Carbonblack-win1\",\"device_os\":\"WINDOWS\",\"ioc_hit\":\"((process_name:sc.exe -parent_name:svchost.exe) AND process_cmdline:query) -enriched:true\",\"ioc_id\":\"565571-0\",\"org_key\":\"7DESJ9GN\",\"parent_cmdline\":\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"sc query aella_conf | findstr RUNNING \\u003e null\\\"\",\"parent_guid\":\"7DESJ9GN-00442a47-00000fec-00000000-1d81ed87d4655d1\",\"parent_hash\":[\"d0fce3afa6aa1d58ce9fa336cc2b675b\",\"4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22\"],\"parent_path\":\"c:\\\\windows\\\\syswow64\\\\cmd.exe\",\"parent_pid\":4076,\"parent_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"parent_reputation\":\"REP_WHITE\",\"parent_username\":\"NT AUTHORITY\\\\SYSTEM\",\"process_cmdline\":\"sc query aella_conf \",\"process_guid\":\"7DESJ9GN-00442a47-00001d5c-00000000-1d81ed87d63d2c6\",\"process_hash\":[\"d9d7684b8431a0d10d0e76fe9f5ffec8\",\"4fe6d9eb8109fb79ff645138de7cff37906867aade589bd68afa503a9ab3cfb2\"],\"process_path\":\"c:\\\\windows\\\\syswow64\\\\sc.exe\",\"process_pid\":7516,\"process_publisher\":[{\"name\":\"Microsoft Windows\",\"state\":\"FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED\"}],\"process_reputation\":\"REP_WHITE\",\"process_username\":\"NT AUTHORITY\\\\SYSTEM\",\"report_id\":\"CFnKBKLTv6hUkBGFobRdg-565571\",\"report_name\":\"Discovery - System Service Discovery Detected\",\"report_tags\":[\"attack\",\"attackframework\",\"threathunting\",\"hunting\",\"t1007\",\"recon\",\"discovery\",\"windows\"],\"severity\":3,\"type\":\"watchlist.hit\",\"watchlists\":[{\"id\":\"P5f9AW29TGmTOvBW156Cig\",\"name\":\"ATT\\u0026CK Framework\"}]}",
+ "dataset": "carbon_black_cloud.watchlist_hit"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.watchlist_hit.device.external_ip | External IP of the device. | ip |
+| carbon_black_cloud.watchlist_hit.device.internal_ip | Internal IP of the device. | ip |
+| carbon_black_cloud.watchlist_hit.device.os | OS Type of device (Windows/OSX/Linux). | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.field | Field the IOC hit contains. | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.hit | IOC field value, or IOC query that matches. | keyword |
+| carbon_black_cloud.watchlist_hit.ioc.id | ID of the IOC that caused the hit. | keyword |
+| carbon_black_cloud.watchlist_hit.organization_key | The organization key associated with the console instance. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.publisher.name | The name of the publisher. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.publisher.state | The state of the publisher. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.watchlist_hit.process.parent.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.watchlist_hit.process.reputation | Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud. | keyword |
+| carbon_black_cloud.watchlist_hit.process.username | The username associated with the user context that this process was started under. | keyword |
+| carbon_black_cloud.watchlist_hit.report.id | ID of the watchlist report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.report.name | Name of the watchlist report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.report.tags | List of tags associated with the report(s) that detected a hit on the process. | keyword |
+| carbon_black_cloud.watchlist_hit.schema | Schema version. | long |
+| carbon_black_cloud.watchlist_hit.type | The watchlist hit type. | keyword |
+| carbon_black_cloud.watchlist_hit.watchlists.id | The ID of the watchlists. | keyword |
+| carbon_black_cloud.watchlist_hit.watchlists.name | The name of the watchlists. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset. | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module. | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
+| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
+| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text |
+| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
+| process.parent.executable | Absolute path to the process executable. | keyword |
+| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.hash.sha256 | SHA256 hash. | keyword |
+| process.parent.pid | Process id. | long |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+
+
+### Asset Vulnerability Summary
+
+This is the `asset_vulnerability_summary` dataset.
+
+An example event for `asset_vulnerability_summary` looks as following:
+
+```json
+{
+ "@timestamp": "2022-04-14T11:47:25.371Z",
+ "agent": {
+ "ephemeral_id": "377d9292-c7d0-4c30-bbee-faf4848d30d8",
+ "hostname": "docker-fleet-agent",
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "carbon_black_cloud": {
+ "asset_vulnerability_summary": {
+ "last_sync": {
+ "timestamp": "2022-01-17T08:33:37.384Z"
+ },
+ "os_info": {
+ "os_arch": "64-bit"
+ },
+ "sync": {
+ "status": "COMPLETED",
+ "type": "SCHEDULED"
+ },
+ "type": "ENDPOINT",
+ "vuln_count": 1770
+ }
+ },
+ "data_stream": {
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.0.0"
+ },
+ "elastic_agent": {
+ "id": "4f53bc01-9d14-4e27-b716-9b41958e11e0",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-04-14T11:47:25.371Z",
+ "dataset": "carbon_black_cloud.asset_vulnerability_summary",
+ "ingested": "2022-04-14T11:47:26Z",
+ "original": "{\"cve_ids\":null,\"device_id\":8,\"highest_risk_score\":10,\"host_name\":\"DESKTOP-008\",\"last_sync_ts\":\"2022-01-17T08:33:37.384932Z\",\"name\":\"DESKTOP-008KK\",\"os_info\":{\"os_arch\":\"64-bit\",\"os_name\":\"Microsoft Windows 10 Education\",\"os_type\":\"WINDOWS\",\"os_version\":\"10.0.17763\"},\"severity\":\"CRITICAL\",\"sync_status\":\"COMPLETED\",\"sync_type\":\"SCHEDULED\",\"type\":\"ENDPOINT\",\"vm_id\":\"\",\"vm_name\":\"\",\"vuln_count\":1770}"
+ },
+ "host": {
+ "hostname": "DESKTOP-008",
+ "id": "8",
+ "name": "DESKTOP-008KK",
+ "os": {
+ "name": "Microsoft Windows 10 Education",
+ "type": "windows",
+ "version": "10.0.17763"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "DESKTOP-008"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "carbon_black_cloud-asset-vulnerability-summary"
+ ],
+ "vulnerability": {
+ "score": {
+ "base": 10
+ },
+ "severity": "CRITICAL"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| carbon_black_cloud.asset_vulnerability_summary.last_sync.timestamp | The identifier is for the Last sync time. | date |
+| carbon_black_cloud.asset_vulnerability_summary.os_info.os_arch | The identifier is for the Operating system architecture. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.sync.status | The identifier is for the Device sync status. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.sync.type | The identifier is for the Whether a manual sync was triggered for the device, or if it was a scheduled sync. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.type | The identifier is for the Device type. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vm.id | The identifier is for the Virtual Machine ID. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vm.name | The identifier is for the Virtual Machine name. | keyword |
+| carbon_black_cloud.asset_vulnerability_summary.vuln_count | The identifier is for the Number of vulnerabilities at this level. | integer |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
diff --git a/packages/carbon_black_cloud/1.0.3/img/carbon_black_cloud-logo.svg b/packages/carbon_black_cloud/1.0.3/img/carbon_black_cloud-logo.svg
new file mode 100755
index 0000000000..180cc3d212
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/img/carbon_black_cloud-logo.svg
@@ -0,0 +1,91 @@
+
+
+
diff --git a/packages/carbon_black_cloud/1.0.3/img/carbon_black_cloud-screenshot.png b/packages/carbon_black_cloud/1.0.3/img/carbon_black_cloud-screenshot.png
new file mode 100755
index 0000000000..6fda3c108d
Binary files /dev/null and b/packages/carbon_black_cloud/1.0.3/img/carbon_black_cloud-screenshot.png differ
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json
new file mode 100755
index 0000000000..4879b5460d
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b.json
@@ -0,0 +1,158 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"w\":16,\"x\":0,\"y\":0},\"panelIndex\":\"c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"panelRefName\":\"panel_c54d9223-56ad-42b4-9452-a44657dbcd6e\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"w\":16,\"x\":16,\"y\":0},\"panelIndex\":\"d3728fd5-5390-4448-8f26-277521569f30\",\"panelRefName\":\"panel_d3728fd5-5390-4448-8f26-277521569f30\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"w\":16,\"x\":32,\"y\":0},\"panelIndex\":\"f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"panelRefName\":\"panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"panelRefName\":\"panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"909c2914-4695-42dd-aa36-93e043a5c025\",\"panelRefName\":\"panel_909c2914-4695-42dd-aa36-93e043a5c025\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"panelRefName\":\"panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"panelRefName\":\"panel_9e320d15-f9df-4aea-9564-ac1c4257b51b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"panelRefName\":\"panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"panelRefName\":\"panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"ed2de824-c493-4240-a6b5-329889c40c43\",\"panelRefName\":\"panel_ed2de824-c493-4240-a6b5-329889c40c43\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"panelRefName\":\"panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"bf749130-3138-45fe-a010-5b30b4636e7b\",\"panelRefName\":\"panel_bf749130-3138-45fe-a010-5b30b4636e7b\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"44ed553e-d5cc-4841-85e9-0d8af122086a\",\"panelRefName\":\"panel_44ed553e-d5cc-4841-85e9-0d8af122086a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"panelRefName\":\"panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"panelRefName\":\"panel_42b64f1c-9526-4430-8f62-cc6596cf07d7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"panelRefName\":\"panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"ef6af3c0-10e9-46af-933c-a032464bdecf\",\"panelRefName\":\"panel_ef6af3c0-10e9-46af-933c-a032464bdecf\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"w\":24,\"x\":0,\"y\":120},\"panelIndex\":\"f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"panelRefName\":\"panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"w\":24,\"x\":24,\"y\":120},\"panelIndex\":\"247ad399-6383-4bf0-910e-9cb6767781c3\",\"panelRefName\":\"panel_247ad399-6383-4bf0-910e-9cb6767781c3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"w\":24,\"x\":0,\"y\":135},\"panelIndex\":\"5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"panelRefName\":\"panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"w\":24,\"x\":24,\"y\":135},\"panelIndex\":\"0a228399-6f69-4803-b4cd-65f30dca5890\",\"panelRefName\":\"panel_0a228399-6f69-4803-b4cd-65f30dca5890\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b015940-3fee-411a-be82-661078ead366\",\"w\":24,\"x\":0,\"y\":150},\"panelIndex\":\"5b015940-3fee-411a-be82-661078ead366\",\"panelRefName\":\"panel_5b015940-3fee-411a-be82-661078ead366\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"w\":24,\"x\":24,\"y\":150},\"panelIndex\":\"655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"panelRefName\":\"panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"w\":24,\"x\":0,\"y\":165},\"panelIndex\":\"8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"panelRefName\":\"panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"w\":24,\"x\":24,\"y\":165},\"panelIndex\":\"2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"panelRefName\":\"panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":23,\"i\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"w\":48,\"x\":0,\"y\":180},\"panelIndex\":\"bc34dc1a-ba27-489e-a950-90a978974351\",\"panelRefName\":\"panel_bc34dc1a-ba27-489e-a950-90a978974351\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "refreshInterval": {
+ "pause": true,
+ "value": 0
+ },
+ "timeFrom": "now-1h",
+ "timeRestore": true,
+ "timeTo": "now",
+ "title": "[Carbon Black Cloud] Alert",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-7e095a40-e325-11ec-8642-e7f3d8b25a9b",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95",
+ "name": "c54d9223-56ad-42b4-9452-a44657dbcd6e:panel_c54d9223-56ad-42b4-9452-a44657dbcd6e",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95",
+ "name": "d3728fd5-5390-4448-8f26-277521569f30:panel_d3728fd5-5390-4448-8f26-277521569f30",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95",
+ "name": "f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c:panel_f1a29b4b-19d4-4ce2-84ac-d82761bd0e2c",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95",
+ "name": "5f57acd4-74a8-4d97-9e7b-d7b069efc867:panel_5f57acd4-74a8-4d97-9e7b-d7b069efc867",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95",
+ "name": "909c2914-4695-42dd-aa36-93e043a5c025:panel_909c2914-4695-42dd-aa36-93e043a5c025",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95",
+ "name": "c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5:panel_c1ebdebc-a37b-48db-b2b1-6bcbcebea6d5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95",
+ "name": "9e320d15-f9df-4aea-9564-ac1c4257b51b:panel_9e320d15-f9df-4aea-9564-ac1c4257b51b",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c:panel_5eb1ba4d-7c85-44c2-9d82-0ff45b8a3d1c",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "7da33ed3-29d9-4fe1-87a9-4debfc7bdd24:panel_7da33ed3-29d9-4fe1-87a9-4debfc7bdd24",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "ed2de824-c493-4240-a6b5-329889c40c43:panel_ed2de824-c493-4240-a6b5-329889c40c43",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "a6d4e61e-57bc-413a-8c68-5f55ab59e16a:panel_a6d4e61e-57bc-413a-8c68-5f55ab59e16a",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95",
+ "name": "bf749130-3138-45fe-a010-5b30b4636e7b:panel_bf749130-3138-45fe-a010-5b30b4636e7b",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95",
+ "name": "44ed553e-d5cc-4841-85e9-0d8af122086a:panel_44ed553e-d5cc-4841-85e9-0d8af122086a",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95",
+ "name": "cd3cb74e-b13e-4a52-a48c-82d13a59421a:panel_cd3cb74e-b13e-4a52-a48c-82d13a59421a",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95",
+ "name": "42b64f1c-9526-4430-8f62-cc6596cf07d7:panel_42b64f1c-9526-4430-8f62-cc6596cf07d7",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95",
+ "name": "b2fe20be-cad5-4bfa-abd1-c9b069fd2494:panel_b2fe20be-cad5-4bfa-abd1-c9b069fd2494",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95",
+ "name": "ef6af3c0-10e9-46af-933c-a032464bdecf:panel_ef6af3c0-10e9-46af-933c-a032464bdecf",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95",
+ "name": "f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc:panel_f9aeff58-ece5-4b1d-80e2-83cc30cf4bbc",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95",
+ "name": "247ad399-6383-4bf0-910e-9cb6767781c3:panel_247ad399-6383-4bf0-910e-9cb6767781c3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95",
+ "name": "5c60fc1b-5ad1-4036-8adc-ce9adf455758:panel_5c60fc1b-5ad1-4036-8adc-ce9adf455758",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b",
+ "name": "0a228399-6f69-4803-b4cd-65f30dca5890:panel_0a228399-6f69-4803-b4cd-65f30dca5890",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95",
+ "name": "5b015940-3fee-411a-be82-661078ead366:panel_5b015940-3fee-411a-be82-661078ead366",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95",
+ "name": "655bc1d2-5c31-4a38-9759-ab72f88bdb92:panel_655bc1d2-5c31-4a38-9759-ab72f88bdb92",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95",
+ "name": "8cdf7cdc-1858-4561-9e3b-5b5c73498586:panel_8cdf7cdc-1858-4561-9e3b-5b5c73498586",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95",
+ "name": "2d6c60e3-32cc-4746-bc7d-3fa40b80447c:panel_2d6c60e3-32cc-4746-bc7d-3fa40b80447c",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95",
+ "name": "bc34dc1a-ba27-489e-a950-90a978974351:panel_bc34dc1a-ba27-489e-a950-90a978974351",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..129cd1c62a
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,42 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"table\":null,\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":831}]}}},\"gridData\":{\"h\":15,\"i\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"c8d90872-b3b3-447d-a9fc-ada6409efeb2\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"16128cf1-2134-46a9-9fd3-19889a2a6c9e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"84a10ea8-959c-4fe7-852d-835b3786ed17\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"cd3e5a79-3640-47ff-95cd-c54debb5ee2d\",\"panelRefName\":\"panel_3\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Audit Logs",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-869252c0-8d71-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95",
+ "name": "panel_3",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..e3f216759c
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,97 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"carbon_black_cloud.endpoint_event.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"f19543f7-04f5-42dd-849b-5f2fd8ca15f8\",\"title\":\"[Carbon Black Cloud] Top 10 Event Types\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bee43023-c427-4176-ba31-2c4831cbc44e\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"1727b9fb-4ba0-4f78-aa54-0d52db62b624\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"10a11498-6416-4b72-adc6-78a5d7937428\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"719006b6-32b2-4ed0-aecd-a1a1f37b471b\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"735f366c-91c5-4f33-961f-4db200acc05c\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"14a95a5a-61e8-459c-95bc-d1b11eed9054\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"3cc67760-3bba-4282-b91e-db120e8abe4e\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9df5251e-52af-4509-b30e-d62f8ef9a3a3\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"04d664de-8814-4314-8f6e-2774b11ab572\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"c80e4ab0-c5b5-4916-9025-d006a37aa7ba\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"f57a7bf6-bc25-433b-8019-6489124907b6\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"c9984aec-8f3f-456a-aa80-b1fc314eb681\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"3232147b-0914-4432-ba42-0c6c03414e4b\",\"panelRefName\":\"panel_12\",\"title\":\"[Carbon Black Cloud] Top 10 Effective Reputation of Loaded Modules\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"w\":48,\"x\":0,\"y\":105},\"panelIndex\":\"391470e2-57a0-46c7-86bd-f66c6eb2ed66\",\"panelRefName\":\"panel_13\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Endpoint Event",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a94cd3a0-962a-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "f19543f7-04f5-42dd-849b-5f2fd8ca15f8:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7",
+ "name": "panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7",
+ "name": "panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7",
+ "name": "panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7",
+ "name": "panel_13",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..ee0df3955b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,67 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"604c7824-2086-4750-bd55-42ffffa9fc11\",\"panelRefName\":\"panel_0\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"bd12665d-43af-45c1-b05e-556ed72556fa\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"fab676af-f870-4fd6-ac5d-3e17a224aaa8\",\"panelRefName\":\"panel_2\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"e3d4c200-17e9-4303-9073-b9dc8c95a790\",\"panelRefName\":\"panel_3\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"table\":null,\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"624500b9-5f23-4c1c-b84b-83c5f20b72bb\",\"panelRefName\":\"panel_4\",\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"0ec67461-93e2-49df-bcd9-3407fabd5832\",\"panelRefName\":\"panel_5\",\"title\":\"[Carbon Black Cloud] Top 10 Hosts with Highest Risk Score\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"66d4f664-5644-48c9-b179-ddd94e1a3e46\",\"panelRefName\":\"panel_6\",\"title\":\"[Carbon Black Cloud] Top 10 OS Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":20,\"i\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6e5579cc-cd91-4f7b-a221-e9bed77aa2b5\",\"panelRefName\":\"panel_7\",\"title\":\"[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"244dc3ee-7810-4f22-b915-bc0a8118fb2a\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Asset Vulnerability Summary",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-db61a3d0-9534-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_7",
+ "type": "search"
+ },
+ {
+ "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf",
+ "name": "panel_8",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..94761c84e1
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/dashboard/carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,107 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"8dc3cf12-046a-4901-b213-c29985291e77\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.watchlist_hit.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4f7b5cef-a7e9-44a9-8769-44d5326a8df4\",\"title\":\"[Carbon Black Cloud] Top 10 Device External IPs\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit Name\",\"field\":\"carbon_black_cloud.watchlist_hit.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Watchlist Hit Names\",\"type\":\"table\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"3d454d18-6baa-40de-aa94-4ebfaee9a759\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Severity\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"b0289aae-02bb-472e-8a22-07ff9f5d2372\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"d29f5a98-736d-4f47-877e-b4552d15f889\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Reputation\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"searchSource\":{\"filter\":[],\"index\":\"logs-*\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Process Reputation\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"ae5c96d5-b7d6-45f8-b57b-42cc190f990b\",\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Parent Process Reputation\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"w\":24,\"x\":0,\"y\":45},\"panelIndex\":\"f3ba83bc-4f34-4131-9a0c-bac18ec92ac0\",\"panelRefName\":\"panel_1\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Names\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"w\":24,\"x\":24,\"y\":45},\"panelIndex\":\"5271fb1f-64a6-461e-b2de-4abc76736af6\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"w\":24,\"x\":0,\"y\":60},\"panelIndex\":\"9c2fdcbe-43cb-4070-88ef-03e6e5082636\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"w\":24,\"x\":24,\"y\":60},\"panelIndex\":\"bc0503e7-6c6d-4edf-a76e-17a74f7d0957\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"w\":24,\"x\":0,\"y\":75},\"panelIndex\":\"d02cda3a-ceef-4766-b25b-456733be2a66\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"w\":24,\"x\":24,\"y\":75},\"panelIndex\":\"5b66a72e-ce08-441c-8705-bb632b896745\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"w\":24,\"x\":0,\"y\":90},\"panelIndex\":\"6bff08c7-8ffb-423e-87de-f7585aa6bc86\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"w\":24,\"x\":24,\"y\":90},\"panelIndex\":\"437c123b-c447-476e-a28b-f3d965a50968\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"w\":24,\"x\":0,\"y\":105},\"panelIndex\":\"33d80097-0089-4b48-8fd9-5dcda9e58e48\",\"panelRefName\":\"panel_9\",\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"w\":24,\"x\":24,\"y\":105},\"panelIndex\":\"50a006ac-7108-47e5-adef-876c15fc8b44\",\"panelRefName\":\"panel_10\",\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher States\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":31,\"i\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"w\":48,\"x\":0,\"y\":120},\"panelIndex\":\"cfec84cb-87af-4b98-b855-17372eee70c8\",\"panelRefName\":\"panel_11\",\"type\":\"search\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Carbon Black Cloud] Watchlist Hit",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-e226d530-9554-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "logs-*",
+ "name": "4f7b5cef-a7e9-44a9-8769-44d5326a8df4:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "3d454d18-6baa-40de-aa94-4ebfaee9a759:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b0289aae-02bb-472e-8a22-07ff9f5d2372:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d29f5a98-736d-4f47-877e-b4552d15f889:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "ae5c96d5-b7d6-45f8-b57b-42cc190f990b:kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826",
+ "name": "panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826",
+ "name": "panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826",
+ "name": "panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826",
+ "name": "panel_11",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..fde5382f93
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,39 @@
+{
+ "attributes": {
+ "columns": [
+ "carbon_black_cloud.watchlist_hit.watchlists.name",
+ "process.command_line",
+ "process.parent.command_line",
+ "process.executable",
+ "process.parent.executable",
+ "carbon_black_cloud.watchlist_hit.ioc.id",
+ "carbon_black_cloud.watchlist_hit.ioc.hit"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Watchlist Hit Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-3ea9c2a0-955e-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fdc104f3b2
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,36 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "client.user.id",
+ "event.reason",
+ "client.ip"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": true,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Audit Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-4272e690-8d71-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..800a5cb006
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,39 @@
+{
+ "attributes": {
+ "columns": [
+ "carbon_black_cloud.endpoint_event.type",
+ "process.command_line",
+ "process.parent.command_line",
+ "dll.path",
+ "carbon_black_cloud.endpoint_event.target_cmdline",
+ "process.executable",
+ "process.parent.executable"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Endpoint Events Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6494a7e0-9640-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1a37e59347
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,37 @@
+{
+ "attributes": {
+ "columns": [
+ "event.id",
+ "event.reason",
+ "event.url",
+ "carbon_black_cloud.alert.threat_indicators.process_name",
+ "carbon_black_cloud.alert.category"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": true,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Alerts Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6e41bd70-8d8d-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..c060c3bd41
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/search/carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,36 @@
+{
+ "attributes": {
+ "columns": [
+ "host.hostname",
+ "vulnerability.severity",
+ "vulnerability.score.base",
+ "carbon_black_cloud.asset_vulnerability_summary.vuln_count"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Carbon Black Cloud] Asset Vulnerability Assessment Essential Details"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-dcc2d650-90a6-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..bf6bf9170c
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-0296fef0-955d-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..329118ed72
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by OS, OS version",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":true,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by OS, OS version\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-0a8f5e90-8d79-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fb78529067
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Client IPs",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Client IPs\",\"field\":\"client.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Client IPs\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-0f420ad0-8d71-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..edfb4ab922
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators TTPS\",\"field\":\"carbon_black_cloud.alert.threat_indicators.ttps\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Indicators TTPS\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-10f699d0-8d8b-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..e058315a1e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Actions",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Actions\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Top 10 Actions\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-11df3480-9630-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..e9926e3521
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by OS",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS\",\"field\":\"carbon_black_cloud.watchlist_hit.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by OS\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-17537cc0-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..5c97a8d4eb
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Severity",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"event.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Severity\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-1b554010-8d73-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..8bb3adabfb
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher State\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-28323940-955d-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..7bec55f465
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Child Process Username",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":9},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Username\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2be6ad50-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..e4b7fe64f8
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Asset Vulnerability Summary by Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2d1eedf0-9629-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..6b1cb56ea0
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Origin\",\"field\":\"carbon_black_cloud.endpoint_event.event_origin\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Event Origin\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2d324250-963e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..c59f3f2623
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category of the Threat Cause\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-2eafd430-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..0a01e78828
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-3aa59c50-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..682f389163
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Endpoint Events by OS",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device OS\",\"field\":\"carbon_black_cloud.endpoint_event.device.os\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by OS\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-3afe1750-9630-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..7af6d5ad55
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 IOC Hits",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.watchlist_hit.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hits\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-4dc9e690-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1c116157a2
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Category",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Category\",\"field\":\"carbon_black_cloud.alert.category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Category\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-52fde850-8d73-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3ced47d3fe
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-53d65ef0-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..60cf2f819b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by OS Type, OS Version",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Type\",\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Version\",\"field\":\"host.os.version\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"row\":true,\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type, OS Version\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-56130b90-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..411603d6cc
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Type",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"carbon_black_cloud.asset_vulnerability_summary.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Distribution of Asset Vulnerability Summary by Type\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5a5dad90-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..811d8c6112
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source of the Threat Cause\",\"field\":\"carbon_black_cloud.alert.threat_cause.vector\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Source of the Threat Cause\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5c122d10-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..e390c83ecc
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by IOC field",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Field\",\"field\":\"carbon_black_cloud.alert.ioc.field\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by IOC field\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5c6ce550-8d85-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..bdd43d6d65
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by OS Type",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.os.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-5f690780-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..a8622511b3
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by OS Architecture",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"host.architecture\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":true,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by OS Architecture\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6496b680-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..02160d4bea
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 OS Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Names\",\"field\":\"host.os.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"row\":false,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 OS Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-68a6c080-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..6c64141f00
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 Hosts with Highest Vulnerability Count",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Vulnerability Count\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.vuln_count\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Vulnerability Count\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6bfd1770-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..630d474e6e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Workflow State",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Workflow State\",\"field\":\"carbon_black_cloud.alert.workflow.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Workflow State\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6efc6240-8d8a-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..228daf684c
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Parent Process Publisher Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Publisher Name\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Publisher Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-6fcd17f0-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..1bd12c5d2e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Severity",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Severity\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-70cdb250-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json
new file mode 100755
index 0000000000..0919e5e20a
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Threat Cause Actor Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Cause Actor Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-71058370-e323-11ec-8642-e7f3d8b25a9b",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..0a3d26dad2
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Report Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Report Name\",\"field\":\"carbon_black_cloud.watchlist_hit.report.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Report Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-715f3ec0-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..6e873422cb
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 Hosts with Highest Risk Score",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Risk Score\",\"field\":\"vulnerability.score.base\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Highest Risk Score\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-750fefe0-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..48a0ff614a
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Publisher Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.process.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Publisher Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-76fe1db0-962e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..b549ad14a1
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Sync Type",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync type\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-792a3310-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..116934a90e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Child Process Publisher State",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher State\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher State\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-7a6261e0-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..ebce21d74d
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Distribution of Asset Vulnerability Summary by Sync Status",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sync Status\",\"field\":\"carbon_black_cloud.asset_vulnerability_summary.sync.status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Distribution of Asset Vulnerability Summary by Sync Status\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-7caf3b20-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json
new file mode 100755
index 0000000000..8f11ac69cf
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.asset_vulnerability_summary\\\"\"}}"
+ },
+ "title": "Top 10 Hosts with Severity",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Severity\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Hostname\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"vulnerability.severity\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"Top 10 Hosts with Severity\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-80778dc0-954a-11ec-8b9d-35e42c3f7fcf",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..5d57824451
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 IOC Hit",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"IOC Hit\",\"field\":\"carbon_black_cloud.alert.ioc.hit\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 IOC Hit\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-89932a20-8d86-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..dd5f86134d
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit\",\"field\":\"carbon_black_cloud.alert.watchlists.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Watchlist Hit\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-8af47260-8d87-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..60669ee962
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Reputation\",\"field\":\"carbon_black_cloud.alert.threat_cause.reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Reputation\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-906f65c0-8d81-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..19ad6bf381
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Threat Indicators Process Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Indicators Process Name\",\"field\":\"carbon_black_cloud.alert.threat_indicators.process_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Threat Indicators Process Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-928cff80-8d8a-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..7992c14128
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Devices",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Devices\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-949c1d00-9628-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..ebcc102bf4
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Run State",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Run State\",\"field\":\"carbon_black_cloud.alert.run_state\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Run State\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-97ab53f0-8d84-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bf3592d08f
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Blocked Threat Category\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-993b8650-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1025e00226
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Sensor Action",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.alert.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Sensor Action\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-9a533f40-8d80-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..c4ce665f33
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Device Username",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Username\",\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Username\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a5d6fa30-8d8c-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..7db345ec9b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Audit Logs by Flag Status",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Flagged\",\"field\":\"carbon_black_cloud.audit.flagged\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Audit Logs by Flag Status\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a6d2a900-8d70-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..37864260d1
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Effective Reputation of Loaded Modules\",\"field\":\"carbon_black_cloud.endpoint_event.modload.effective_reputation\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Effective reputation of the loaded modules\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-a7ce1420-9630-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..cf20544145
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Child Process Publisher Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Child Process Publisher Name\",\"field\":\"carbon_black_cloud.endpoint_event.childproc.publisher.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":8},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Child Process Publisher Name\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ae34ca40-962e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..dd2d0ee97a
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Usernames",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Usernames\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-bb323db0-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..bb4fb20b4b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Device Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Name\",\"field\":\"host.hostname\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-c3786990-9555-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3a76cb6cae
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sensor Action\",\"field\":\"carbon_black_cloud.endpoint_event.sensor_action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Endpoint Events by Sensor Actions\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-c6cfa8d0-962f-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..29d985b4d8
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Watchlist Hit by Report Tag\",\"field\":\"carbon_black_cloud.watchlist_hit.report.tags\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Watchlist Hit by Report Tags\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-cb70a610-955c-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..50933d86cc
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Not Blocked Threat Category\",\"field\":\"carbon_black_cloud.alert.not_blocked_threat_category\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Not Blocked Threat Category\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-cc2d3630-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bf02f82c2e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Policy Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"carbon_black_cloud.alert.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Policy Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-d33296f0-8d79-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..bfebab9f24
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Reason Codes",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Reason Codes\",\"field\":\"carbon_black_cloud.alert.reason_code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Reason Codes\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-d49a3710-8d96-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json
new file mode 100755
index 0000000000..85bf297c56
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset: \\\"carbon_black_cloud.watchlist_hit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Parent Process Usernames",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Parent Process Username\",\"field\":\"carbon_black_cloud.watchlist_hit.process.parent.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Parent Process Usernames\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-de59dff0-955a-11ec-96f0-8de26c63c826",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..2ad0964cbb
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.audit\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Request URLs",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"URL\",\"field\":\"url.original\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Request URLs\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ee2098d0-8d70-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..cb945df49b
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Kill Chain Status\",\"field\":\"carbon_black_cloud.alert.kill_chain_status\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Kill Chain Status\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ee670e50-8d89-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..fc1c6812f0
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Process Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Name\",\"field\":\"process.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Process Name\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ee77a260-8d84-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..3c04444ca9
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Device External IP",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device External IP\",\"field\":\"carbon_black_cloud.endpoint_event.device.external_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Device External IP\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f28910d0-9628-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..a79db35e93
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Alert Type",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Alert Type\",\"field\":\"carbon_black_cloud.alert.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Alert Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f3f635b0-8d72-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..d3f393c0d5
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threat Cause Actor Name\",\"field\":\"carbon_black_cloud.alert.threat_cause.actor.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Threat Cause Actor Name\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f75eabb0-8d8b-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json
new file mode 100755
index 0000000000..84fedf340e
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.endpoint_event\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Top 10 Process Username",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Process Username\",\"field\":\"carbon_black_cloud.endpoint_event.process.username\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"autoFitRowToContent\":false,\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Carbon Black Cloud] Top 10 Process Username\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f7681be0-962e-11ec-864c-3332b2a355f7",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..1c30c4f320
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Policy Applied",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Applied\",\"field\":\"carbon_black_cloud.alert.policy.applied\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Policy Applied\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-f93958c0-8d83-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json
new file mode 100755
index 0000000000..4a17555983
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/kibana/visualization/carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"carbon_black_cloud.alert\\\"\"}}"
+ },
+ "title": "[Carbon Black Cloud] Distribution of Alerts by Target Value",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Target Value\",\"field\":\"carbon_black_cloud.alert.target_value\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Carbon Black Cloud] Distribution of Alerts by Target Value\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "carbon_black_cloud-ff34eaa0-8d79-11ec-ac12-4bc77fa14e95",
+ "migrationVersion": {
+ "visualization": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/carbon_black_cloud/1.0.3/manifest.yml b/packages/carbon_black_cloud/1.0.3/manifest.yml
new file mode 100755
index 0000000000..d37f10abcf
--- /dev/null
+++ b/packages/carbon_black_cloud/1.0.3/manifest.yml
@@ -0,0 +1,136 @@
+format_version: 1.0.0
+name: carbon_black_cloud
+title: VMware Carbon Black Cloud
+version: 1.0.3
+license: basic
+description: Collect logs from VMWare Carbon Black Cloud with Elastic Agent.
+type: integration
+categories:
+ - security
+release: ga
+conditions:
+ kibana.version: ^7.17.0 || ^8.0.0
+screenshots:
+ - src: /img/carbon_black_cloud-screenshot.png
+ title: Carbon Black Cloud alert dashboard screenshot
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/carbon_black_cloud-logo.svg
+ title: Carbon Black Cloud logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: carbon_black_cloud
+ title: Carbon Black Cloud
+ description: Collect Logs from Carbon Black Cloud
+ inputs:
+ - type: httpjson
+ title: Collect Carbon Black Cloud logs via API
+ description: Collect Carbon Black Cloud logs via API
+ vars:
+ - name: hostname
+ type: text
+ title: Hostname
+ description: Carbon Black Cloud console Hostname. Find hostname in the console dashboard at the beginning of the web address (Add https:// before the hostname).
+ required: true
+ - name: org_key
+ type: text
+ title: Organization Key
+ description: Organization Key.
+ required: true
+ - name: custom_api_id
+ type: text
+ title: Custom API ID
+ description: API ID with Custom Access Level type.
+ required: true
+ - name: custom_api_secret_key
+ type: password
+ title: Custom API Secret Key
+ description: API Secret Key with Custom Access Level type
+ required: true
+ - name: api_id
+ type: text
+ title: API ID
+ description: API ID with API Access Level type.
+ required: true
+ - name: api_secret_key
+ type: password
+ title: API Secret Key
+ description: API Secret Key with API Access Level type
+ required: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - type: aws-s3
+ title: Collect Carbon Black Cloud logs via AWS S3
+ description: Collect Carbon Black Cloud logs via AWS S3
+ vars:
+ - name: bucket_arn
+ type: text
+ title: Bucket ARN
+ multi: false
+ required: true
+ show_user: true
+ - name: access_key_id
+ type: password
+ title: Access Key ID
+ multi: false
+ required: true
+ show_user: true
+ - name: secret_access_key
+ type: password
+ title: Secret Access Key
+ multi: false
+ required: true
+ show_user: true
+ - name: number_of_workers
+ type: integer
+ title: Number of Workers
+ multi: false
+ required: false
+ show_user: false
+ default: 5
+ description: Number of workers that will process the S3 objects listed.
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/cef/2.0.3/changelog.yml b/packages/cef/2.0.3/changelog.yml
new file mode 100755
index 0000000000..832135f9ca
--- /dev/null
+++ b/packages/cef/2.0.3/changelog.yml
@@ -0,0 +1,129 @@
+# newer versions go on top
+- version: "2.0.3"
+ changes:
+ - description: Format source.mac and destination.mac as per ECS.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3566
+- version: "2.0.2"
+ changes:
+ - description: Improve field documentation
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3465
+- version: "2.0.1"
+ changes:
+ - description: Clarify scope of dashboards
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3470
+- version: "2.0.0"
+ changes:
+ - description: Migrate map visualisation from tile_map to map object
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3263
+- version: "1.5.0"
+ changes:
+ - description: Update to ECS 8.2 by modifying Check Point events to use the new email field set.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2804
+- version: "1.4.3"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.4.2"
+ changes:
+ - description: Add field mappings for several `event.*` fields.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2808
+- version: "1.4.1"
+ changes:
+ - description: Append pipeline errors to error.message instead of overwriting existing errors.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2789
+- version: "1.4.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2386
+- version: "1.3.1"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.0"
+ changes:
+ - description: Change test IPs to the supported set for GeoIP
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2216
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2216
+- version: "1.2.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1950
+- version: "1.2.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1802
+- version: "1.2.0"
+ changes:
+ - description: Add CEF time zone config option.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1723
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1652
+- version: "1.0.0"
+ changes:
+ - description: make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1604
+- version: "0.5.2"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1469
+- version: '0.5.1'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1375
+- version: "0.5.0"
+ changes:
+ - description: Update documentation to fit mdx spec
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1401
+- version: "0.4.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.3.0"
+ changes:
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1255
+- version: "0.2.0"
+ changes:
+ - description: update to ECS 1.10.0 and adding event.original options.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1032
+- version: "0.1.0"
+ changes:
+ - description: Change syslog input to udp input. Add syslog timestamp parsing to Ingest Node pipeline.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/898
+- version: "0.0.4"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/838
+- version: "0.0.1"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/418
diff --git a/packages/cef/2.0.3/data_stream/log/agent/stream/log.yml.hbs b/packages/cef/2.0.3/data_stream/log/agent/stream/log.yml.hbs
new file mode 100755
index 0000000000..c9f24092e8
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/agent/stream/log.yml.hbs
@@ -0,0 +1,27 @@
+paths:
+ {{#each paths as |path i|}}
+- {{path}}
+ {{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- rename:
+ fields:
+ - {from: "message", to: "event.original"}
+- decode_cef:
+ field: event.original
+{{#if decode_cef_timezone}}
+ timezone: {{ decode_cef_timezone }}
+{{/if}}
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/cef/2.0.3/data_stream/log/agent/stream/udp.yml.hbs b/packages/cef/2.0.3/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..4d71aa0234
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,23 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- rename:
+ fields:
+ - {from: "message", to: "event.original"}
+- decode_cef:
+ field: event.original
+{{#if decode_cef_timezone}}
+ timezone: {{ decode_cef_timezone }}
+{{/if}}
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml b/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml
new file mode 100755
index 0000000000..8a53e9b0c7
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/cp-pipeline.yml
@@ -0,0 +1,380 @@
+---
+description: Pipeline for Check Point CEF
+
+processors:
+ # This script is mapping CEF extensions to ECS when possible. Otherwise
+ # it maps them to fields under the `checkpoint` group using Check Point log
+ # field names.
+ #
+ # [1] Description of Check Point CEF extensions:
+ # https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060
+ # [2] Description of Check Point log field names (sk144192):
+ # https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192
+ #
+ # Note that in some cases the CEF extension name doesn't accurately describe
+ # its contents. For example sntdom/sourceNtDomain, which is used to store
+ # Check Point's domain_name, documented as "Domain name sent to DNS request".
+ #
+ # This script processes the `params.extensions` list below. This list consists
+ # of two different kinds of mappings, the simpler has a source ext `name`
+ # and a `to` field. It copies the given extension field to the target `to`.
+ #
+ # When the `labels` dict is defined, the target field depends on the value of
+ # the accompanying label field. For example, the field deviceCustomIPv6Address2
+ # is mapped to `source.ip` only when the extension deviceCustomIPv6Address2Label
+ # exists and its value is "Source IPv6 Address".
+ #
+ # Also it can convert the destination value by simple mapping when the
+ # convert key exists. Values without an entry in the convert dict are not
+ # copied and the target field remains unset.
+ #
+ # The output of this processor is a single field, `_tmp_copy`, that contains
+ # a list of actions `{"to": "target_field", "value":"field value"}` that is
+ # later executed using a foreach processor. This is done to avoid complex
+ # de-dotting and other gotchas of setting arbitrary fields in Painless.
+ - script:
+ lang: painless
+ params:
+ extensions:
+ - name: cp_app_risk
+ to: checkpoint.app_risk
+
+ - name: cp_app_risk
+ to: event.risk_score
+ # This mapping is a mix of [1] and [2] above.
+ convert:
+ unknown: 0
+ informational: 0
+ very-low: 1
+ low: 2
+ medium: 3
+ high: 4
+ very-high: 5
+ critical: 5
+
+ - name: cp_severity
+ to: checkpoint.severity
+
+ - name: cp_severity
+ to: event.severity
+ convert:
+ # This mapping is a mix of [1] and [2] above.
+ unknown: 0
+ informational: 0
+ very-low: 1
+ low: 1
+ medium: 2
+ high: 3
+ very-high: 4
+ critical: 4
+
+ # Number of events associated with the log
+ - name: baseEventCount
+ to: checkpoint.event_count
+
+ # Log type
+ - name: deviceExternalId
+ to: observer.type
+
+ # Product Family (override deviceExternalId if present).
+ - name: deviceFacility
+ to: observer.type
+ convert:
+ '0': Network
+ '1': Endpoint
+ '2': Access
+ '3': Threat
+ '4': Mobile
+
+ # Gateway interface, where the connection is received from in case of an outbound connection
+ - name: deviceInboundInterface
+ to: observer.ingress.interface.name
+
+ # Gateway interface, where the connection is sent from, in case of an inbound connection
+ - name: deviceOutboundInterface
+ to: observer.egress.interface.name
+
+ - name: externalId
+ to: checkpoint.uuid
+
+ - name: fileHash
+ to: checkpoint.file_hash
+
+ - name: reason
+ to: checkpoint.termination_reason
+
+ # Possibly an IKE cookie
+ - name: requestCookies
+ to: checkpoint.cookie
+
+ # Probably a typo in CP's CEF docs
+ - name: checkrequestCookies
+ to: checkpoint.cookie
+
+ # Domain name sent to DNS request
+ - name: sourceNtDomain
+ to: dns.question.name
+
+ # CVE registry entry
+ - name: Signature
+ to: vulnerability.id
+
+ - name: Recipient
+ to: destination.user.email
+
+ - name: Sender
+ to: source.user.email
+
+ - name: deviceCustomFloatingPoint1
+ labels:
+ update version: observer.version
+
+ - name: deviceCustomIPv6Address2
+ labels:
+ source ipv6 address: source.ip
+
+ - name: deviceCustomIPv6Address3
+ labels:
+ destination ipv6 address: destination.ip
+
+ - name: deviceCustomNumber1
+ labels:
+ payload: network.bytes
+ elapsed time in seconds: event.duration
+ email recipients number: checkpoint.email_recipients_num
+
+ - name: deviceCustomNumber2
+ labels:
+ duration in seconds: event.duration
+ icmp type: checkpoint.icmp_type
+
+ - name: deviceCustomNumber3
+ labels:
+ icmp code: checkpoint.icmp_code
+
+ - name: deviceCustomString1
+ labels:
+ application rule name: rule.name
+ dlp rule name: rule.name
+ threat prevention rule name: rule.name
+ connectivity state: checkpoint.connectivity_state
+ email id: checkpoint.email_id
+ voip log type: checkpoint.voip_log_type
+
+ - name: deviceCustomString2
+ labels:
+ # Protection malware id
+ protection id: checkpoint.protection_id
+ update status: checkpoint.update_status
+ email subject: checkpoint.email_subject
+ sensor mode: checkpoint.sensor_mode
+ scan invoke type: checkpoint.integrity_av_invoke_type
+ category: checkpoint.category
+ # Matched categories
+ categories: rule.category
+ peer gateway: checkpoint.peer_gateway
+
+ - name: deviceCustomString6
+ labels:
+ application name: network.application
+ virus name: checkpoint.virus_name
+ malware name: checkpoint.spyware_name
+ malware family: checkpoint.malware_family
+
+ - name: deviceCustomString3
+ labels:
+ user group: group.name
+ # Format of original data.
+ incident extension: checkpoint.incident_extension
+ identity type: checkpoint.identity_type
+ email spool id: checkpoint.email_spool_id
+ # Type of protection used to detect the attack
+ protection type: checkpoint.protection_type
+
+ - name: deviceCustomString4
+ labels:
+ malware status: checkpoint.spyware_status
+ destination os: os.name
+ scan result: checkpoint.scan_result
+ frequency: checkpoint.frequency
+ protection name: checkpoint.protection_name
+ user response: checkpoint.user_status
+ email control: checkpoint.email_control
+ tcp flags: checkpoint.tcp_flags
+ threat prevention rule id: rule.id
+
+ - name: deviceCustomString5
+ labels:
+ matched category: rule.category
+ authentication method: checkpoint.auth_method
+ email session id: checkpoint.email_session_id
+ vlan id: network.vlan.id
+
+ - name: deviceCustomDate2
+ labels:
+ subscription expiration: checkpoint.subs_exp
+
+ - name: deviceFlexNumber1
+ labels:
+ confidence: checkpoint.confidence_level
+
+ - name: deviceFlexNumber2
+ labels:
+ destination phone number: checkpoint.dst_phone_number
+ performance impact: checkpoint.performance_impact
+
+ - name: flexString1
+ labels:
+ application signature id: checkpoint.app_sig_id
+
+ - name: flexString2
+ labels:
+ malware action: rule.description
+ attack information: event.action
+
+ - name: rule_uid
+ to: rule.uuid
+
+ - name: ifname
+ to: observer.ingress.interface.name
+
+ - name: inzone
+ to: observer.ingress.zone
+
+ - name: outzone
+ to: observer.egress.zone
+
+ - name: product
+ to: observer.product
+
+ source: |
+ def actions = new ArrayList();
+ def exts = ctx.cef?.extensions;
+ if (exts == null) return;
+ for (entry in params.extensions) {
+ def value = exts[entry.name];
+ if (value == null ||
+ (entry.convert != null &&
+ (value=entry.convert[value.toLowerCase()]) == null))
+ continue;
+ if (entry.to != null) {
+ actions.add([
+ "value": value,
+ "to": entry.to
+ ]);
+ continue;
+ }
+ def label = exts[entry.name + "Label"];
+ if (label == null) continue;
+ def dest = entry.labels[label.toLowerCase()];
+ if (dest == null) continue;
+ actions.add([
+ "value": value,
+ "to": dest
+ ]);
+ }
+ ctx["_tmp_copy"] = actions;
+
+ - foreach:
+ field: _tmp_copy
+ processor:
+ set:
+ field: "{{_ingest._value.to}}"
+ value: "{{_ingest._value.value}}"
+
+ - remove:
+ field: _tmp_copy
+
+ - set:
+ field: email.to.address
+ value: ["{{{destination.user.email}}}"]
+ if: "ctx?.destination?.user?.email != null"
+ - set:
+ field: email.from.address
+ value: ["{{{source.user.email}}}"]
+ if: "ctx?.source?.user?.email != null"
+ - set:
+ field: email.subject
+ copy_from: checkpoint.email_subject
+ if: "ctx?.checkpoint?.email_subject != null"
+ - set:
+ field: email.message_id
+ copy_from: checkpoint.email_session_id
+ if: "ctx?.checkpoint?.email_session_id != null"
+ - convert:
+ field: event.risk_score
+ type: float
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: event.risk_score
+ - convert:
+ field: event.severity
+ type: long
+ ignore_missing: true
+ on_failure:
+ - remove:
+ field: event.severity
+
+ # event.duration is a string and contains seconds. Convert to long nanos.
+ - script:
+ params:
+ second_to_nanos: 1000000000
+ lang: painless
+ source: |
+ def duration = ctx.event?.duration;
+ if (duration == null) return;
+ ctx.event.duration = Long.parseLong(duration) * params.second_to_nanos;
+ on_failure:
+ - remove:
+ field: event.duration
+ ignore_missing: true
+
+ # checkpoint.file_hash can be either MD5, SHA1 or SHA256.
+ - rename:
+ field: checkpoint.file_hash
+ target_field: file.hash.md5
+ if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==32'
+ - rename:
+ field: checkpoint.file_hash
+ target_field: file.hash.sha1
+ if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==40'
+ - rename:
+ field: checkpoint.file_hash
+ target_field: file.hash.sha256
+ if: 'ctx.checkpoint?.file_hash != null && ctx.checkpoint.file_hash.length()==64'
+
+ # Event kind is 'event' by default. 'alert' when a risk score and rule info
+ # is present.
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.kind
+ value: alert
+ if: 'ctx.cef?.extensions?.cp_app_risk != null && ctx.rule != null'
+
+ # Set event.category to network/malware/intrusion_detection depending on which
+ # fields have been populated.
+ - set:
+ field: event.category
+ value: network
+ if: 'ctx.source?.ip != null && ctx.destination?.ip != null'
+ - set:
+ field: event.category
+ value: malware
+ if: 'ctx.checkpoint?.protection_id != null || ctx.checkpoint?.spyware_name != null || ctx.checkpoint?.malware_family != null || ctx.checkpoint?.spyware_status != null'
+ - set:
+ field: event.category
+ value: intrusion_detection
+ if: 'ctx.event?.category != "malware" && (ctx.checkpoint?.protection_type != null || ctx.cef.extensions?.flexString2Label == "Attack Information")'
+
+ - convert:
+ field: checkpoint.event_count
+ type: long
+ ignore_missing: true
+ - convert:
+ field: cef.extensions.baseEventCount
+ type: long
+ ignore_missing: true
+
diff --git a/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..ab067960c5
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,177 @@
+---
+description: Pipeline for CEF logs. CEF decoding happens in the Agent. This performs additional enrichment and vendor specific transformations.
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+
+ - convert:
+ field: event.id
+ type: string
+ ignore_missing: true
+
+ # IP Geolocation Lookup
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ field: destination.ip
+ target_field: destination.geo
+ ignore_missing: true
+
+ # IP Autonomous System (AS) Lookup
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ - append:
+ field: related.hash
+ value: "{{cef.extensions.fileHash}}"
+ allow_duplicates: false
+ if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''"
+ - append:
+ field: related.hash
+ value: "{{cef.extensions.oldFileHash}}"
+ allow_duplicates: false
+ if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''"
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ allow_duplicates: false
+ if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''"
+ - append:
+ field: related.ip
+ value: "{{destination.nat.ip}}"
+ allow_duplicates: false
+ if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''"
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ allow_duplicates: false
+ if: "ctx?.source?.ip != null && ctx?.source?.ip != ''"
+ - append:
+ field: related.ip
+ value: "{{source.nat.ip}}"
+ allow_duplicates: false
+ if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''"
+ - append:
+ field: related.user
+ value: "{{destination.user.name}}"
+ if: "ctx?.destination?.user?.name != null"
+ - append:
+ field: related.user
+ value: "{{source.user.name}}"
+ allow_duplicates: false
+ if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''"
+ - append:
+ field: related.hosts
+ value: "{{observer.hostname}}"
+ allow_duplicates: false
+ if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''"
+ - pipeline:
+ name: '{{ IngestPipeline "fp-pipeline" }}'
+ if: "ctx.cef?.device?.vendor == 'FORCEPOINT'"
+ - pipeline:
+ name: '{{ IngestPipeline "cp-pipeline" }}'
+ if: "ctx.cef?.device?.vendor == 'Check Point'"
+ - community_id: {}
+
+ # Ensure source.mac and destination.mac are formatted to ECS specifications.
+ - gsub:
+ field: destination.mac
+ ignore_missing: true
+ pattern: '[:.]'
+ replacement: '-'
+ - gsub:
+ field: source.mac
+ ignore_missing: true
+ pattern: '[:.]'
+ replacement: '-'
+ - uppercase:
+ field: destination.mac
+ ignore_missing: true
+ - uppercase:
+ field: source.mac
+ ignore_missing: true
+
+ #
+ # Timestamp parsing.
+ #
+ - grok:
+ # decode_cef sets @timestamp when deviceReceiptTime is provided.
+ description: Extract timestamp from log header when deviceReceiptTime not given.
+ if: ctx?.cef?.extensions?.deviceReceiptTime == null
+ field: event.original
+ patterns:
+ - '^%{SYSLOG_TIMESTAMP} '
+ - '^%{ECS_SYSLOG_PRI}%{SYSLOG_TIMESTAMP} ' # RFC3164
+ - '^%{ECS_SYSLOG_PRI}%{NONNEGINT} %{SYSLOG_TIMESTAMP} ' # RFC5224
+ pattern_definitions:
+ ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>'
+ SYSLOG_TIMESTAMP: '(?:%{SYSLOGTIMESTAMP:_tmp.timestamp}|%{TIMESTAMP_ISO8601:_tmp.timestamp8601})'
+ ignore_failure: true
+ - date:
+ if: ctx?._tmp?.timestamp8601 != null
+ field: _tmp.timestamp8601
+ formats:
+ - ISO8601
+ - date:
+ if: ctx?._tmp?.timestamp != null
+ field: _tmp.timestamp
+ formats:
+ - MMM d HH:mm:ss
+ - MMM dd HH:mm:ss
+ - remove:
+ field:
+ - _tmp
+ ignore_failure: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+
+ # Cleanup
+ - remove:
+ field:
+ - cef.extensions._cefVer
+ ignore_missing: true
+
+on_failure:
+ - remove:
+ field:
+ - _tmp
+ ignore_failure: true
+ - append:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml b/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml
new file mode 100755
index 0000000000..f87d217328
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/elasticsearch/ingest_pipeline/fp-pipeline.yml
@@ -0,0 +1,27 @@
+---
+description: Pipeline for Forcepoint CEF
+
+processors:
+ # cs1 is ruleID
+ - set:
+ field: rule.id
+ value: "{{cef.extensions.deviceCustomString1}}"
+ ignore_empty_value: true
+
+ # cs2 is natRuleID
+ - set:
+ field: rule.id
+ value: "{{cef.extensions.deviceCustomString2}}"
+ ignore_empty_value: true
+
+ # cs3 is VulnerabilityReference
+ - set:
+ field: vulnerability.reference
+ value: "{{cef.extensions.deviceCustomString3}}"
+ ignore_empty_value: true
+
+ # cs4 is virusID
+ - set:
+ field: cef.forcepoint.virus_id
+ value: "{{cef.extensions.deviceCustomString4}}"
+ ignore_empty_value: true
diff --git a/packages/cef/2.0.3/data_stream/log/fields/agent.yml b/packages/cef/2.0.3/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..d03a5f0211
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/fields/agent.yml
@@ -0,0 +1,207 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: log.source.address
+ type: keyword
+ description: Source address from which the log event was read / sent from.
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/cef/2.0.3/data_stream/log/fields/base-fields.yml b/packages/cef/2.0.3/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..88e15e9046
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: cef
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: cef.log
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/cef/2.0.3/data_stream/log/fields/ecs.yml b/packages/cef/2.0.3/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..a2802bca93
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/fields/ecs.yml
@@ -0,0 +1,380 @@
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: Bytes sent from the destination to the source.
+ name: destination.bytes
+ type: long
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ MAC address of the destination.
+ The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+ name: destination.mac
+ type: keyword
+- description: |-
+ Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.ip
+ type: ip
+- description: |-
+ Port the source session is translated to by NAT Device.
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.port
+ type: long
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: Unique identifier for the group on the system/platform.
+ name: destination.user.group.id
+ type: keyword
+- description: Name of the group.
+ name: destination.user.group.name
+ type: keyword
+- description: Unique identifier of the user.
+ name: destination.user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.user.name
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: The email address of the sender, typically from the RFC 5322 `From:` header field.
+ name: email.from.address
+ type: keyword
+- description: The email address of recipient
+ name: email.to.address
+ type: keyword
+- description: A brief summary of the topic of the message.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: email.subject
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: Primary group name of the file.
+ name: file.group
+ type: keyword
+- description: MD5 hash.
+ name: file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: file.hash.sha1
+ type: keyword
+- description: Inode representing the file in the filesystem.
+ name: file.inode
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: file.name
+ type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: file.path
+ type: keyword
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: file.size
+ type: long
+- description: File type (file, dir, or symlink).
+ name: file.type
+ type: keyword
+- description: |-
+ HTTP request method.
+ The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+ name: http.request.method
+ type: keyword
+- description: Referrer for this HTTP request.
+ name: http.request.referrer
+ type: keyword
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: |-
+ Syslog numeric priority of the event, if available.
+ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+ name: log.syslog.priority
+ type: long
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+ For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+ The field value must be normalized to lowercase for querying.
+ name: network.application
+ type: keyword
+- description: |-
+ A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+ Learn more at https://github.com/corelight/community-id-spec.
+ name: network.community_id
+ type: keyword
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+ name: observer.egress.zone
+ type: keyword
+- description: Hostname of the observer.
+ name: observer.hostname
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.ingress.interface.name
+ type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+ name: observer.ingress.zone
+ type: keyword
+- description: IP addresses of the observer.
+ name: observer.ip
+ type: ip
+- description: The product name of the observer.
+ name: observer.product
+ type: keyword
+- description: |-
+ The type of the observer the data is coming from.
+ There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+ name: observer.type
+ type: keyword
+- description: Vendor name of the observer.
+ name: observer.vendor
+ type: keyword
+- description: Observer version.
+ name: observer.version
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+ name: rule.category
+ type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+ name: rule.id
+ type: keyword
+- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+ name: rule.uuid
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ MAC address of the source.
+ The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+ name: source.mac
+ type: keyword
+- description: |-
+ Translated ip of source based NAT sessions (e.g. internal client to internet)
+ Typically connections traversing load balancers, firewalls, or routers.
+ name: source.nat.ip
+ type: ip
+- description: |-
+ Translated port of source based NAT sessions. (e.g. internal client to internet)
+ Typically used with load balancers, firewalls, or routers.
+ name: source.nat.port
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: Unique identifier for the group on the system/platform.
+ name: source.user.group.id
+ type: keyword
+- description: Name of the group.
+ name: source.user.group.name
+ type: keyword
+- description: Unique identifier of the user.
+ name: source.user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.user.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Identification code for this event, if one exists.
+ Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+ name: event.code
+ type: keyword
+- description: |-
+ Duration of the event in nanoseconds.
+ If event.start and event.end are known this value should be the difference between the end and start time.
+ name: event.duration
+ type: long
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+ name: event.risk_score
+ type: float
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
diff --git a/packages/cef/2.0.3/data_stream/log/fields/fields.yml b/packages/cef/2.0.3/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..c667ec5df0
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/fields/fields.yml
@@ -0,0 +1,608 @@
+- name: cef.name
+ type: keyword
+- name: cef.severity
+ type: keyword
+- name: cef.version
+ type: keyword
+- name: destination.service.name
+ type: keyword
+- name: source.service.name
+ type: keyword
+- name: cef.forcepoint
+ type: group
+ fields:
+ - name: virus_id
+ type: keyword
+ description: |
+ Virus ID
+- name: checkpoint
+ type: group
+ fields:
+ - name: app_risk
+ type: keyword
+ description: Application risk.
+ - name: app_severity
+ type: keyword
+ description: Application threat severity.
+ - name: app_sig_id
+ type: keyword
+ description: The signature ID which the application was detected by.
+ - name: auth_method
+ type: keyword
+ description: Password authentication protocol used.
+ - name: category
+ type: keyword
+ description: Category.
+ - name: confidence_level
+ type: integer
+ description: Confidence level determined.
+ - name: connectivity_state
+ type: keyword
+ description: Connectivity state.
+ - name: cookie
+ type: keyword
+ description: IKE cookie.
+ - name: dst_phone_number
+ type: keyword
+ description: Destination IP-Phone.
+ - name: email_control
+ type: keyword
+ description: Engine name.
+ - name: email_id
+ type: keyword
+ description: Internal email ID.
+ - name: email_recipients_num
+ type: long
+ description: Number of recipients.
+ - name: email_session_id
+ type: keyword
+ description: Internal email session ID.
+ - name: email_spool_id
+ type: keyword
+ description: Internal email spool ID.
+ - name: email_subject
+ type: keyword
+ description: Email subject.
+ - name: event_count
+ type: long
+ description: Number of events associated with the log.
+ - name: frequency
+ type: keyword
+ description: Scan frequency.
+ - name: icmp_type
+ type: long
+ description: ICMP type.
+ - name: icmp_code
+ type: long
+ description: ICMP code.
+ - name: identity_type
+ type: keyword
+ description: Identity type.
+ - name: incident_extension
+ type: keyword
+ description: Format of original data.
+ - name: integrity_av_invoke_type
+ type: keyword
+ description: Scan invoke type.
+ - name: malware_family
+ type: keyword
+ description: Malware family.
+ - name: peer_gateway
+ type: ip
+ description: Main IP of the peer Security Gateway.
+ - name: performance_impact
+ type: integer
+ description: Protection performance impact.
+ - name: protection_id
+ type: keyword
+ description: Protection malware ID.
+ - name: protection_name
+ type: keyword
+ description: Specific signature name of the attack.
+ - name: protection_type
+ type: keyword
+ description: Type of protection used to detect the attack.
+ - name: scan_result
+ type: keyword
+ description: Scan result.
+ - name: sensor_mode
+ type: keyword
+ description: Sensor mode.
+ - name: severity
+ type: keyword
+ description: Threat severity.
+ - name: spyware_name
+ type: keyword
+ description: Spyware name.
+ - name: spyware_status
+ type: keyword
+ description: Spyware status.
+ - name: subs_exp
+ type: date
+ description: The expiration date of the subscription.
+ - name: tcp_flags
+ type: keyword
+ description: TCP packet flags.
+ - name: termination_reason
+ type: keyword
+ description: Termination reason.
+ - name: update_status
+ type: keyword
+ description: Update status.
+ - name: user_status
+ type: keyword
+ description: User response.
+ - name: uuid
+ type: keyword
+ description: External ID.
+ - name: virus_name
+ type: keyword
+ description: Virus name.
+ - name: voip_log_type
+ type: keyword
+ description: VoIP log types.
+- name: cef.device
+ type: group
+ fields:
+ - name: event_class_id
+ type: keyword
+ description: Unique identifier of the event type.
+ - name: product
+ type: keyword
+ description: Product of the device that produced the message.
+ - name: vendor
+ type: keyword
+ description: Vendor of the device that produced the message.
+ - name: version
+ type: keyword
+ description: Version of the product that produced the message.
+- name: cef.extensions
+ type: group
+ fields:
+ - name: agentAddress
+ type: ip
+ description: The IP address of the ArcSight connector that processed the event.
+ - name: agentHostName
+ type: keyword
+ description: The hostname of the ArcSight connector that processed the event.
+ - name: agentId
+ type: keyword
+ description: The agent ID of the ArcSight connector that processed the event.
+ - name: agentReceiptTime
+ type: date
+ description: The time at which information about the event was received by the ArcSight connector.
+ - name: agentTimeZone
+ type: keyword
+ description: The agent time zone of the ArcSight connector that processed the event.
+ - name: agentType
+ type: keyword
+ description: The agent type of the ArcSight connector that processed the event.
+ - name: destinationHostName
+ type: keyword
+ description: Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available.
+ - name: deviceTimeZone
+ type: keyword
+ description: The time zone for the device generating the event.
+ - name: requestUrlFileName
+ type: keyword
+ - name: startTime
+ type: date
+ description: The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970).
+ - name: type
+ type: long
+ description: 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0).
+ - name: agentVersion
+ type: keyword
+ description: The version of the ArcSight connector that processed the event.
+ - name: agentZoneURI
+ type: keyword
+ - name: deviceSeverity
+ type: keyword
+ - name: deviceZoneURI
+ type: keyword
+ description: Thee URI for the Zone that the device asset has been assigned to in ArcSight.
+ - name: fileType
+ type: keyword
+ description: Type of file (pipe, socket, etc.)
+ - name: filename
+ type: keyword
+ description: Name of the file only (without its path).
+ - name: managerReceiptTime
+ type: date
+ description: When the Arcsight ESM received the event.
+ - name: agentMacAddress
+ type: keyword
+ description: The MAC address of the ArcSight connector that processed the event.
+ - name: deviceProcessName
+ type: keyword
+ description: Process name associated with the event. An example might be the process generating the syslog entry in UNIX.
+ - name: baseEventCount
+ type: long
+ description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.
+ - name: dvc
+ type: ip
+ description: This field is used by Trend Micro if the hostname is an IPv4 address.
+ - name: dvchost
+ type: keyword
+ description: This field is used by Trend Micro for hostnames and IPv6 addresses.
+ - name: cp_app_risk
+ type: keyword
+ - name: cp_severity
+ type: keyword
+ - name: ifname
+ type: keyword
+ - name: inzone
+ type: keyword
+ - name: layer_uuid
+ type: keyword
+ - name: layer_name
+ type: keyword
+ - name: logid
+ type: keyword
+ - name: loguid
+ type: keyword
+ - name: match_id
+ type: keyword
+ - name: nat_addtnl_rulenum
+ type: keyword
+ - name: nat_rulenum
+ type: keyword
+ - name: origin
+ type: keyword
+ - name: originsicname
+ type: keyword
+ - name: outzone
+ type: keyword
+ - name: parent_rule
+ type: keyword
+ - name: product
+ type: keyword
+ - name: rule_action
+ type: keyword
+ - name: rule_uid
+ type: keyword
+ - name: sequencenum
+ type: keyword
+ - name: service_id
+ type: keyword
+ - name: version
+ type: keyword
+ - name: applicationProtocol
+ type: keyword
+ description: Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.
+ - name: categoryDeviceGroup
+ type: keyword
+ description: General device group like Firewall (ArcSight).
+ - name: categoryTechnique
+ type: keyword
+ description: Technique being used (e.g. /DoS) (ArcSight).
+ - name: deviceEventCategory
+ type: keyword
+ description: Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read".
+ - name: sourceNtDomain
+ type: keyword
+ description: The Windows domain name for the source address.
+ - name: destinationNtDomain
+ type: keyword
+ description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight).
+ - name: categoryOutcome
+ type: keyword
+ description: Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight).
+ - name: categorySignificance
+ type: keyword
+ description: Characterization of the importance of the event (ArcSight).
+ - name: categoryObject
+ type: keyword
+ description: Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight).
+ - name: categoryBehavior
+ type: keyword
+ description: Action or a behavior associated with an event. It's what is being done to the object (ArcSight).
+ - name: categoryDeviceType
+ type: keyword
+ description: Device type. Examples - Proxy, IDS, Web Server (ArcSight).
+ - name: baseEventCount
+ type: keyword
+ description: A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1.
+ - name: bytesIn
+ type: long
+ description: Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination.
+ - name: bytesOut
+ type: long
+ description: Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source.
+ - name: destinationAddress
+ type: ip
+ description: Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address.
+ - name: destinationPort
+ type: long
+ description: The valid port numbers are between 0 and 65535.
+ - name: destinationServiceName
+ type: keyword
+ description: The service targeted by this event.
+ - name: destinationTranslatedAddress
+ type: ip
+ description: Identifies the translated destination that the event refers to in an IP network.
+ - name: destinationTranslatedPort
+ type: long
+ description: Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535.
+ - name: destinationUserName
+ type: keyword
+ description: Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field.
+ - name: destinationUserPrivileges
+ type: keyword
+ description: The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator".
+ - name: deviceAction
+ type: keyword
+ description: Action taken by the device.
+ - name: deviceAddress
+ type: ip
+ description: Identifies the device address that an event refers to in an IP network.
+ - name: deviceCustomDate2
+ type: keyword
+ description: One of two timestamp fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomDate2Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomIPv6Address2
+ type: ip
+ description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomIPv6Address2Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomIPv6Address3
+ type: ip
+ description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomIPv6Address3Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomNumber1
+ type: long
+ description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomNumber1Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomNumber2
+ type: long
+ description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomNumber2Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomNumber3
+ type: long
+ description: One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomNumber3Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomString1
+ type: keyword
+ description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomString1Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomString2
+ type: keyword
+ description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomString2Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomString3
+ type: keyword
+ description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomString3Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomString4
+ type: keyword
+ description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomString4Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomString5
+ type: keyword
+ description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomString5Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomString6
+ type: keyword
+ description: One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
+ - name: deviceCustomString6Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceDirection
+ type: long
+ description: Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound.
+ - name: deviceExternalId
+ type: keyword
+ description: A name that uniquely identifies the device generating this event.
+ - name: deviceFacility
+ type: keyword
+ description: The facility generating this event. For example, Syslog has an explicit facility associated with every event.
+ - name: deviceHostName
+ type: keyword
+ description: The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available.
+ - name: deviceOutboundInterface
+ type: keyword
+ description: Interface on which the packet or data left the device.
+ - name: deviceReceiptTime
+ type: keyword
+ description: The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970)
+ - name: eventId
+ type: long
+ description: This is a unique ID that ArcSight assigns to each event.
+ - name: fileHash
+ type: keyword
+ description: Hash of a file.
+ - name: message
+ type: keyword
+ description: An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator.
+ - name: oldFileHash
+ type: keyword
+ description: Hash of the old file.
+ - name: requestContext
+ type: keyword
+ description: Description of the content from which the request originated (for example, HTTP Referrer).
+ - name: requestMethod
+ type: keyword
+ description: The HTTP method used to access a URL.
+ - name: requestUrl
+ type: keyword
+ description: In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well.
+ - name: method
+ type: keyword
+ description: HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+ - name: sourceAddress
+ type: ip
+ description: Identifies the source that an event refers to in an IP network.
+ - name: sourceGeoLatitude
+ type: long
+ - name: sourceGeoLongitude
+ type: long
+ - name: sourcePort
+ type: long
+ description: The valid port numbers are 0 to 65535.
+ - name: sourceServiceName
+ type: keyword
+ description: The service that is responsible for generating this event.
+ - name: sourceTranslatedAddress
+ type: ip
+ description: Identifies the translated source that the event refers to in an IP network.
+ - name: sourceTranslatedPort
+ type: long
+ description: A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535.
+ - name: sourceUserName
+ type: keyword
+ description: Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.
+ - name: sourceUserPrivileges
+ type: keyword
+ description: The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator".
+ - name: transportProtocol
+ type: keyword
+ description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP.
+ - name: ad
+ type: flattened
+ - name: TrendMicroDsDetectionConfidence
+ type: keyword
+ - name: TrendMicroDsFileMD5
+ type: keyword
+ - name: TrendMicroDsFileSHA1
+ type: keyword
+ - name: TrendMicroDsFileSHA256
+ type: keyword
+ - name: TrendMicroDsFrameType
+ type: keyword
+ - name: TrendMicroDsMalwareTarget
+ type: keyword
+ - name: TrendMicroDsMalwareTargetType
+ type: keyword
+ - name: TrendMicroDsPacketData
+ type: keyword
+ - name: TrendMicroDsRelevantDetectionNames
+ type: keyword
+ - name: TrendMicroDsTenant
+ type: keyword
+ - name: TrendMicroDsTenantId
+ type: keyword
+ - name: assetCriticality
+ type: keyword
+ - name: deviceAssetId
+ type: keyword
+ - name: deviceCustomIPv6Address1
+ type: ip
+ description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomIPv6Address1Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomIPv6Address2
+ type: ip
+ description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomIPv6Address2Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomIPv6Address3
+ type: ip
+ description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomIPv6Address3Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceCustomIPv6Address4
+ type: ip
+ description: One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
+ - name: deviceCustomIPv6Address4Label
+ type: keyword
+ description: All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
+ - name: deviceInboundInterface
+ type: keyword
+ description: Interface on which the packet or data entered the device.
+ - name: deviceZoneID
+ type: keyword
+ - name: eventAnnotationAuditTrail
+ type: keyword
+ - name: eventAnnotationEndTime
+ type: date
+ - name: eventAnnotationFlags
+ type: keyword
+ - name: eventAnnotationManagerReceiptTime
+ type: date
+ - name: eventAnnotationModificationTime
+ type: date
+ - name: eventAnnotationStageUpdateTime
+ type: date
+ - name: eventAnnotationVersion
+ type: keyword
+ - name: locality
+ type: keyword
+ - name: modelConfidence
+ type: keyword
+ - name: originalAgentAddress
+ type: keyword
+ - name: originalAgentHostName
+ type: keyword
+ - name: originalAgentId
+ type: keyword
+ - name: originalAgentType
+ type: keyword
+ - name: originalAgentVersion
+ type: keyword
+ - name: originalAgentZoneURI
+ type: keyword
+ - name: priority
+ type: keyword
+ - name: relevance
+ type: keyword
+ - name: severity
+ type: keyword
+ - name: sourceTranslatedZoneID
+ type: keyword
+ - name: sourceTranslatedZoneURI
+ type: keyword
+ description: The URI for the Translated Zone that the destination asset has been assigned to in ArcSight.
+ - name: sourceZoneID
+ type: keyword
+ description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.
+ - name: sourceZoneURI
+ type: keyword
+ description: The URI for the Zone that the source asset has been assigned to in ArcSight.
+ - name: aggregationType
+ type: keyword
+ - name: destinationMacAddress
+ type: keyword
+ description: Six colon-separated hexadecimal numbers.
+ - name: filePath
+ type: keyword
+ description: Full path to the file, including file name itself.
+ - name: fileSize
+ type: long
+ description: Size of the file.
+ - name: repeatCount
+ type: keyword
+ - name: sourceHostName
+ type: keyword
+ description: Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available.
+ - name: sourceMacAddress
+ type: keyword
+ description: Six colon-separated hexadecimal numbers.
+ - name: sourceUserId
+ type: keyword
+ description: Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0.
+ - name: target
+ type: keyword
diff --git a/packages/cef/2.0.3/data_stream/log/manifest.yml b/packages/cef/2.0.3/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..8383dac3ad
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/manifest.yml
@@ -0,0 +1,104 @@
+type: logs
+title: CEF log logs
+streams:
+ - input: logfile
+ template_path: log.yml.hbs
+ title: CEF logs
+ description: Collect CEF logs using log input
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - /var/log/cef.log
+ - name: decode_cef_timezone
+ type: text
+ title: CEF Timezone
+ multi: false
+ required: false
+ show_user: false
+ description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message.
+ - name: tags
+ type: text
+ title: Tags
+ description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events.
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cef
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: udp
+ template_path: udp.yml.hbs
+ title: CEF logs
+ description: Collect CEF logs using udp input
+ vars:
+ - name: syslog_host
+ type: text
+ title: Syslog Host
+ description: The interface to listen to UDP based syslog traffic. Set to `0.0.0.0` to bind to all available interfaces.
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: syslog_port
+ type: integer
+ title: Syslog Port
+ description: The UDP port to listen for syslog traffic.
+ multi: false
+ required: true
+ show_user: true
+ default: 9003
+ - name: decode_cef_timezone
+ type: text
+ title: CEF Timezone
+ multi: false
+ required: false
+ show_user: false
+ description: IANA time zone or time offset (e.g. `+0200`) to use when interpreting timestamps without a time zone in the CEF message.
+ - name: tags
+ type: text
+ title: Tags
+ description: A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events.
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cef
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/cef/2.0.3/data_stream/log/sample_event.json b/packages/cef/2.0.3/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..2921fcb328
--- /dev/null
+++ b/packages/cef/2.0.3/data_stream/log/sample_event.json
@@ -0,0 +1,122 @@
+{
+ "@timestamp": "2022-06-03T01:39:47.734Z",
+ "agent": {
+ "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf",
+ "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "cef": {
+ "device": {
+ "event_class_id": "18",
+ "product": "Vaporware",
+ "vendor": "Elastic",
+ "version": "1.0.0-alpha"
+ },
+ "extensions": {
+ "destinationAddress": "192.168.10.1",
+ "destinationPort": 443,
+ "eventId": 3457,
+ "requestContext": "https://www.google.com",
+ "requestMethod": "POST",
+ "requestUrl": "https://www.example.com/cart",
+ "sourceAddress": "89.160.20.156",
+ "sourceGeoLatitude": 38.915,
+ "sourceGeoLongitude": -77.511,
+ "sourcePort": 33876,
+ "sourceServiceName": "httpd",
+ "transportProtocol": "TCP"
+ },
+ "name": "Web request",
+ "severity": "low",
+ "version": "0"
+ },
+ "data_stream": {
+ "dataset": "cef.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "ip": "192.168.10.1",
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817",
+ "snapshot": false,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "code": "18",
+ "dataset": "cef.log",
+ "id": "3457",
+ "ingested": "2022-06-03T01:39:48Z",
+ "severity": 0
+ },
+ "http": {
+ "request": {
+ "method": "POST",
+ "referrer": "https://www.google.com"
+ }
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "source": {
+ "address": "192.168.112.4:35889"
+ }
+ },
+ "message": "Web request",
+ "network": {
+ "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=",
+ "transport": "tcp"
+ },
+ "observer": {
+ "product": "Vaporware",
+ "vendor": "Elastic",
+ "version": "1.0.0-alpha"
+ },
+ "related": {
+ "ip": [
+ "192.168.10.1",
+ "89.160.20.156"
+ ]
+ },
+ "source": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.156",
+ "port": 33876,
+ "service": {
+ "name": "httpd"
+ }
+ },
+ "tags": [
+ "cef",
+ "forwarded"
+ ],
+ "url": {
+ "original": "https://www.example.com/cart"
+ }
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/docs/README.md b/packages/cef/2.0.3/docs/README.md
new file mode 100755
index 0000000000..8dca26f060
--- /dev/null
+++ b/packages/cef/2.0.3/docs/README.md
@@ -0,0 +1,617 @@
+# Common Event Format (CEF) Integration
+
+This is an integration for parsing Common Event Format (CEF) data. It can accept
+data over syslog or read it from a file.
+
+CEF data is a format like
+
+`CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello`
+
+When syslog is used as the transport the CEF data becomes the message that is
+contained in the syslog envelope. This integration will parse the syslog
+timestamp if it is present. Depending on the syslog RFC used the message will
+have a format like one of these:
+
+`<189> Jun 18 10:55:50 host CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello`
+
+`<189>1 2021-06-18T10:55:50.000003Z host app - - - CEF:0|Elastic|Vaporware|1.0.0-alpha|18|Web request|low|eventId=3457 msg=hello`
+
+In both cases the integration will use the syslog timestamp as the `@timestamp`
+unless the CEF data contains a device receipt timestamp.
+
+The Elastic Agent's `decode_cef` processor is applied to parse the CEF encoded
+data. The decoded data is written into a `cef` object field. Lastly any Elastic
+Common Schema (ECS) fields that can be populated with the CEF data are
+populated.
+
+## Compatibility
+
+### Forcepoint NGFW Security Management Center
+
+This module will process CEF data from Forcepoint NGFW Security Management
+Center (SMC). In the SMC configure the logs to be forwarded to the address set
+in `var.syslog_host` in format CEF and service UDP on `var.syslog_port`.
+Instructions can be found in [KB
+15002](https://support.forcepoint.com/KBArticle?id=000015002) for configuring
+the SMC.
+
+Testing was done with CEF logs from SMC version 6.6.1 and custom string mappings
+were taken from 'CEF Connector Configuration Guide' dated December 5, 2011.
+
+### Check Point devices
+
+This module will parse CEF data from Check Point devices as documented in [Log
+Exporter CEF Field
+Mappings](https://community.checkpoint.com/t5/Logging-and-Reporting/Log-Exporter-CEF-Field-Mappings/td-p/41060).
+
+Check Point CEF extensions are mapped as follows:
+
+
+| CEF Extension | CEF Label value | ECS Fields | Non-ECS Field |
+|----------------------------|-----------------------------|--------------------------|--------------------------------|
+| cp_app_risk | - | event.risk_score | checkpoint.app_risk |
+| cp_severity | - | event.severity | checkpoint.severity |
+| baseEventCount | - | - | checkpoint.event_count |
+| deviceExternalId | - | observer.type | - |
+| deviceFacility | - | observer.type | - |
+| deviceInboundInterface | - | observer.ingress.interface.name | - |
+| deviceOutboundInterface | - | observer.egress.interface.name | - |
+| externalId | - | - | checkpoint.uuid |
+| fileHash | - | file.hash.\{md5,sha1\} | - |
+| reason | - | - | checkpoint.termination_reason |
+| requestCookies | - | - | checkpoint.cookie |
+| sourceNtDomain | - | dns.question.name | - |
+| Signature | - | vulnerability.id | - |
+| Recipient | - | email.to.address | - |
+| Sender | - | email.from.address | - |
+| deviceCustomFloatingPoint1 | update version | observer.version | - |
+| deviceCustomIPv6Address2 | source ipv6 address | source.ip | - |
+| deviceCustomIPv6Address3 | destination ipv6 address | destination.ip | - |
+| deviceCustomNumber1 | elapsed time in seconds | event.duration | - |
+| deviceCustomNumber1 | email recipients number | - | checkpoint.email_recipients_num |
+| deviceCustomNumber1 | payload | network.bytes | - |
+| deviceCustomNumber2 | icmp type | - | checkpoint.icmp_type |
+| deviceCustomNumber2 | duration in seconds | event.duration | - |
+| deviceCustomNumber3 | icmp code | - | checkpoint.icmp_code |
+| deviceCustomString1 | connectivity state | - | checkpoint.connectivity_state |
+| deviceCustomString1 | application rule name | rule.name | - |
+| deviceCustomString1 | threat prevention rule name | rule.name | - |
+| deviceCustomString1 | voip log type | - | checkpoint.voip_log_type |
+| deviceCustomString1 | dlp rule name | rule.name | - |
+| deviceCustomString1 | email id | - | checkpoint.email_id |
+| deviceCustomString2 | category | - | checkpoint.category |
+| deviceCustomString2 | email subject | email.subject | checkpoint.email_subject |
+| deviceCustomString2 | sensor mode | - | checkpoint.sensor_mode |
+| deviceCustomString2 | protection id | - | checkpoint.protection_id |
+| deviceCustomString2 | scan invoke type | - | checkpoint.integrity_av_invoke_type |
+| deviceCustomString2 | update status | - | checkpoint.update_status |
+| deviceCustomString2 | peer gateway | - | checkpoint.peer_gateway |
+| deviceCustomString2 | categories | rule.category | - |
+| deviceCustomString6 | application name | network.application | - |
+| deviceCustomString6 | virus name | - | checkpoint.virus_name |
+| deviceCustomString6 | malware name | - | checkpoint.spyware_name |
+| deviceCustomString6 | malware family | - | checkpoint.malware_family |
+| deviceCustomString3 | user group | group.name | - |
+| deviceCustomString3 | incident extension | - | checkpoint.incident_extension |
+| deviceCustomString3 | protection type | - | checkpoint.protection_type |
+| deviceCustomString3 | email spool id | - | checkpoint.email_spool_id |
+| deviceCustomString3 | identity type | - | checkpoint.identity_type |
+| deviceCustomString4 | malware status | - | checkpoint.spyware_status |
+| deviceCustomString4 | threat prevention rule id | rule.id | - |
+| deviceCustomString4 | scan result | - | checkpoint.scan_result |
+| deviceCustomString4 | tcp flags | - | checkpoint.tcp_flags |
+| deviceCustomString4 | destination os | os.name | - |
+| deviceCustomString4 | protection name | - | checkpoint.protection_name |
+| deviceCustomString4 | email control | - | checkpoint.email_control |
+| deviceCustomString4 | frequency | - | checkpoint.frequency |
+| deviceCustomString4 | user response | - | checkpoint.user_status |
+| deviceCustomString5 | matched category | rule.category | - |
+| deviceCustomString5 | vlan id | network.vlan.id | - |
+| deviceCustomString5 | authentication method | - | checkpoint.auth_method |
+| deviceCustomString5 | email session id | email.message_id | checkpoint.email_session_id |
+| deviceCustomDate2 | subscription expiration | - | checkpoint.subs_exp |
+| deviceFlexNumber1 | confidence | - | checkpoint.confidence_level |
+| deviceFlexNumber2 | performance impact | - | checkpoint.performance_impact |
+| deviceFlexNumber2 | destination phone number | - | checkpoint.dst_phone_number |
+| flexString1 | application signature id | - | checkpoint.app_sig_id |
+| flexString2 | malware action | rule.description | - |
+| flexString2 | attack information | event.action | - |
+| rule_uid | - | rule.uuid | - |
+| ifname | - | observer.ingress.interface.name | - |
+| inzone | - | observer.ingress.zone | - |
+| outzone | - | observer.egress.zone | - |
+| product | - | observer.product | - |
+
+## Logs
+
+### CEF log
+
+This is the CEF `log` dataset.
+
+An example event for `log` looks as following:
+
+```json
+{
+ "@timestamp": "2022-06-03T01:39:47.734Z",
+ "agent": {
+ "ephemeral_id": "167ce484-a1a1-4fac-aaff-607b859e3ddf",
+ "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "cef": {
+ "device": {
+ "event_class_id": "18",
+ "product": "Vaporware",
+ "vendor": "Elastic",
+ "version": "1.0.0-alpha"
+ },
+ "extensions": {
+ "destinationAddress": "192.168.10.1",
+ "destinationPort": 443,
+ "eventId": 3457,
+ "requestContext": "https://www.google.com",
+ "requestMethod": "POST",
+ "requestUrl": "https://www.example.com/cart",
+ "sourceAddress": "89.160.20.156",
+ "sourceGeoLatitude": 38.915,
+ "sourceGeoLongitude": -77.511,
+ "sourcePort": 33876,
+ "sourceServiceName": "httpd",
+ "transportProtocol": "TCP"
+ },
+ "name": "Web request",
+ "severity": "low",
+ "version": "0"
+ },
+ "data_stream": {
+ "dataset": "cef.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "ip": "192.168.10.1",
+ "port": 443
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "69f5d3be-c31a-4be6-adb6-cb3ed3e50817",
+ "snapshot": false,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "code": "18",
+ "dataset": "cef.log",
+ "id": "3457",
+ "ingested": "2022-06-03T01:39:48Z",
+ "severity": 0
+ },
+ "http": {
+ "request": {
+ "method": "POST",
+ "referrer": "https://www.google.com"
+ }
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "source": {
+ "address": "192.168.112.4:35889"
+ }
+ },
+ "message": "Web request",
+ "network": {
+ "community_id": "1:UgazGyZMuRDtuImGjF+6GveZFw0=",
+ "transport": "tcp"
+ },
+ "observer": {
+ "product": "Vaporware",
+ "vendor": "Elastic",
+ "version": "1.0.0-alpha"
+ },
+ "related": {
+ "ip": [
+ "192.168.10.1",
+ "89.160.20.156"
+ ]
+ },
+ "source": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
+ "ip": "89.160.20.156",
+ "port": 33876,
+ "service": {
+ "name": "httpd"
+ }
+ },
+ "tags": [
+ "cef",
+ "forwarded"
+ ],
+ "url": {
+ "original": "https://www.example.com/cart"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cef.device.event_class_id | Unique identifier of the event type. | keyword |
+| cef.device.product | Product of the device that produced the message. | keyword |
+| cef.device.vendor | Vendor of the device that produced the message. | keyword |
+| cef.device.version | Version of the product that produced the message. | keyword |
+| cef.extensions.TrendMicroDsDetectionConfidence | | keyword |
+| cef.extensions.TrendMicroDsFileMD5 | | keyword |
+| cef.extensions.TrendMicroDsFileSHA1 | | keyword |
+| cef.extensions.TrendMicroDsFileSHA256 | | keyword |
+| cef.extensions.TrendMicroDsFrameType | | keyword |
+| cef.extensions.TrendMicroDsMalwareTarget | | keyword |
+| cef.extensions.TrendMicroDsMalwareTargetType | | keyword |
+| cef.extensions.TrendMicroDsPacketData | | keyword |
+| cef.extensions.TrendMicroDsRelevantDetectionNames | | keyword |
+| cef.extensions.TrendMicroDsTenant | | keyword |
+| cef.extensions.TrendMicroDsTenantId | | keyword |
+| cef.extensions.ad | | flattened |
+| cef.extensions.agentAddress | The IP address of the ArcSight connector that processed the event. | ip |
+| cef.extensions.agentHostName | The hostname of the ArcSight connector that processed the event. | keyword |
+| cef.extensions.agentId | The agent ID of the ArcSight connector that processed the event. | keyword |
+| cef.extensions.agentMacAddress | The MAC address of the ArcSight connector that processed the event. | keyword |
+| cef.extensions.agentReceiptTime | The time at which information about the event was received by the ArcSight connector. | date |
+| cef.extensions.agentTimeZone | The agent time zone of the ArcSight connector that processed the event. | keyword |
+| cef.extensions.agentType | The agent type of the ArcSight connector that processed the event. | keyword |
+| cef.extensions.agentVersion | The version of the ArcSight connector that processed the event. | keyword |
+| cef.extensions.agentZoneURI | | keyword |
+| cef.extensions.aggregationType | | keyword |
+| cef.extensions.applicationProtocol | Application level protocol, example values are HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on. | keyword |
+| cef.extensions.assetCriticality | | keyword |
+| cef.extensions.baseEventCount | A count associated with this event. How many times was this same event observed? Count can be omitted if it is 1. | keyword |
+| cef.extensions.bytesIn | Number of bytes transferred inbound, relative to the source to destination relationship, meaning that data was flowing from source to destination. | long |
+| cef.extensions.bytesOut | Number of bytes transferred outbound relative to the source to destination relationship. For example, the byte number of data flowing from the destination to the source. | long |
+| cef.extensions.categoryBehavior | Action or a behavior associated with an event. It's what is being done to the object (ArcSight). | keyword |
+| cef.extensions.categoryDeviceGroup | General device group like Firewall (ArcSight). | keyword |
+| cef.extensions.categoryDeviceType | Device type. Examples - Proxy, IDS, Web Server (ArcSight). | keyword |
+| cef.extensions.categoryObject | Object that the event is about. For example it can be an operating sytem, database, file, etc (ArcSight). | keyword |
+| cef.extensions.categoryOutcome | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword |
+| cef.extensions.categorySignificance | Characterization of the importance of the event (ArcSight). | keyword |
+| cef.extensions.categoryTechnique | Technique being used (e.g. /DoS) (ArcSight). | keyword |
+| cef.extensions.cp_app_risk | | keyword |
+| cef.extensions.cp_severity | | keyword |
+| cef.extensions.destinationAddress | Identifies the destination address that the event refers to in an IP network. The format is an IPv4 address. | ip |
+| cef.extensions.destinationHostName | Identifies the destination that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the destination node, when a node is available. | keyword |
+| cef.extensions.destinationMacAddress | Six colon-separated hexadecimal numbers. | keyword |
+| cef.extensions.destinationNtDomain | Outcome of the event (e.g. sucess, failure, or attempt) (ArcSight). | keyword |
+| cef.extensions.destinationPort | The valid port numbers are between 0 and 65535. | long |
+| cef.extensions.destinationServiceName | The service targeted by this event. | keyword |
+| cef.extensions.destinationTranslatedAddress | Identifies the translated destination that the event refers to in an IP network. | ip |
+| cef.extensions.destinationTranslatedPort | Port after it was translated; for example, a firewall. Valid port numbers are 0 to 65535. | long |
+| cef.extensions.destinationUserName | Identifies the destination user by name. This is the user associated with the event's destination. Email addresses are often mapped into the UserName fields. The recipient is a candidate to put into this field. | keyword |
+| cef.extensions.destinationUserPrivileges | The typical values are "Administrator", "User", and "Guest". This identifies the destination user's privileges. In UNIX, for example, activity executed on the root user would be identified with destinationUser Privileges of "Administrator". | keyword |
+| cef.extensions.deviceAction | Action taken by the device. | keyword |
+| cef.extensions.deviceAddress | Identifies the device address that an event refers to in an IP network. | ip |
+| cef.extensions.deviceAssetId | | keyword |
+| cef.extensions.deviceCustomDate2 | One of two timestamp fields available to map fields that do not apply to any other in this dictionary. | keyword |
+| cef.extensions.deviceCustomDate2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomIPv6Address1 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip |
+| cef.extensions.deviceCustomIPv6Address1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomIPv6Address2 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip |
+| cef.extensions.deviceCustomIPv6Address2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomIPv6Address3 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip |
+| cef.extensions.deviceCustomIPv6Address3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomIPv6Address4 | One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary. | ip |
+| cef.extensions.deviceCustomIPv6Address4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomNumber1 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long |
+| cef.extensions.deviceCustomNumber1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomNumber2 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long |
+| cef.extensions.deviceCustomNumber2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomNumber3 | One of three number fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | long |
+| cef.extensions.deviceCustomNumber3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomString1 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword |
+| cef.extensions.deviceCustomString1Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomString2 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword |
+| cef.extensions.deviceCustomString2Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomString3 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword |
+| cef.extensions.deviceCustomString3Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomString4 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword |
+| cef.extensions.deviceCustomString4Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomString5 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword |
+| cef.extensions.deviceCustomString5Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceCustomString6 | One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. | keyword |
+| cef.extensions.deviceCustomString6Label | All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field. | keyword |
+| cef.extensions.deviceDirection | Any information about what direction the observed communication has taken. The following values are supported - "0" for inbound or "1" for outbound. | long |
+| cef.extensions.deviceEventCategory | Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example "/Monitor/Disk/Read". | keyword |
+| cef.extensions.deviceExternalId | A name that uniquely identifies the device generating this event. | keyword |
+| cef.extensions.deviceFacility | The facility generating this event. For example, Syslog has an explicit facility associated with every event. | keyword |
+| cef.extensions.deviceHostName | The format should be a fully qualified domain name (FQDN) associated with the device node, when a node is available. | keyword |
+| cef.extensions.deviceInboundInterface | Interface on which the packet or data entered the device. | keyword |
+| cef.extensions.deviceOutboundInterface | Interface on which the packet or data left the device. | keyword |
+| cef.extensions.deviceProcessName | Process name associated with the event. An example might be the process generating the syslog entry in UNIX. | keyword |
+| cef.extensions.deviceReceiptTime | The time at which the event related to the activity was received. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970) | keyword |
+| cef.extensions.deviceSeverity | | keyword |
+| cef.extensions.deviceTimeZone | The time zone for the device generating the event. | keyword |
+| cef.extensions.deviceZoneID | | keyword |
+| cef.extensions.deviceZoneURI | Thee URI for the Zone that the device asset has been assigned to in ArcSight. | keyword |
+| cef.extensions.dvc | This field is used by Trend Micro if the hostname is an IPv4 address. | ip |
+| cef.extensions.dvchost | This field is used by Trend Micro for hostnames and IPv6 addresses. | keyword |
+| cef.extensions.eventAnnotationAuditTrail | | keyword |
+| cef.extensions.eventAnnotationEndTime | | date |
+| cef.extensions.eventAnnotationFlags | | keyword |
+| cef.extensions.eventAnnotationManagerReceiptTime | | date |
+| cef.extensions.eventAnnotationModificationTime | | date |
+| cef.extensions.eventAnnotationStageUpdateTime | | date |
+| cef.extensions.eventAnnotationVersion | | keyword |
+| cef.extensions.eventId | This is a unique ID that ArcSight assigns to each event. | long |
+| cef.extensions.fileHash | Hash of a file. | keyword |
+| cef.extensions.filePath | Full path to the file, including file name itself. | keyword |
+| cef.extensions.fileSize | Size of the file. | long |
+| cef.extensions.fileType | Type of file (pipe, socket, etc.) | keyword |
+| cef.extensions.filename | Name of the file only (without its path). | keyword |
+| cef.extensions.ifname | | keyword |
+| cef.extensions.inzone | | keyword |
+| cef.extensions.layer_name | | keyword |
+| cef.extensions.layer_uuid | | keyword |
+| cef.extensions.locality | | keyword |
+| cef.extensions.logid | | keyword |
+| cef.extensions.loguid | | keyword |
+| cef.extensions.managerReceiptTime | When the Arcsight ESM received the event. | date |
+| cef.extensions.match_id | | keyword |
+| cef.extensions.message | An arbitrary message giving more details about the event. Multi-line entries can be produced by using \n as the new line separator. | keyword |
+| cef.extensions.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| cef.extensions.modelConfidence | | keyword |
+| cef.extensions.nat_addtnl_rulenum | | keyword |
+| cef.extensions.nat_rulenum | | keyword |
+| cef.extensions.oldFileHash | Hash of the old file. | keyword |
+| cef.extensions.origin | | keyword |
+| cef.extensions.originalAgentAddress | | keyword |
+| cef.extensions.originalAgentHostName | | keyword |
+| cef.extensions.originalAgentId | | keyword |
+| cef.extensions.originalAgentType | | keyword |
+| cef.extensions.originalAgentVersion | | keyword |
+| cef.extensions.originalAgentZoneURI | | keyword |
+| cef.extensions.originsicname | | keyword |
+| cef.extensions.outzone | | keyword |
+| cef.extensions.parent_rule | | keyword |
+| cef.extensions.priority | | keyword |
+| cef.extensions.product | | keyword |
+| cef.extensions.relevance | | keyword |
+| cef.extensions.repeatCount | | keyword |
+| cef.extensions.requestContext | Description of the content from which the request originated (for example, HTTP Referrer). | keyword |
+| cef.extensions.requestMethod | The HTTP method used to access a URL. | keyword |
+| cef.extensions.requestUrl | In the case of an HTTP request, this field contains the URL accessed. The URL should contain the protocol as well. | keyword |
+| cef.extensions.requestUrlFileName | | keyword |
+| cef.extensions.rule_action | | keyword |
+| cef.extensions.rule_uid | | keyword |
+| cef.extensions.sequencenum | | keyword |
+| cef.extensions.service_id | | keyword |
+| cef.extensions.severity | | keyword |
+| cef.extensions.sourceAddress | Identifies the source that an event refers to in an IP network. | ip |
+| cef.extensions.sourceGeoLatitude | | long |
+| cef.extensions.sourceGeoLongitude | | long |
+| cef.extensions.sourceHostName | Identifies the source that an event refers to in an IP network. The format should be a fully qualified domain name (FQDN) associated with the source node, when a mode is available. | keyword |
+| cef.extensions.sourceMacAddress | Six colon-separated hexadecimal numbers. | keyword |
+| cef.extensions.sourceNtDomain | The Windows domain name for the source address. | keyword |
+| cef.extensions.sourcePort | The valid port numbers are 0 to 65535. | long |
+| cef.extensions.sourceServiceName | The service that is responsible for generating this event. | keyword |
+| cef.extensions.sourceTranslatedAddress | Identifies the translated source that the event refers to in an IP network. | ip |
+| cef.extensions.sourceTranslatedPort | A port number after being translated by, for example, a firewall. Valid port numbers are 0 to 65535. | long |
+| cef.extensions.sourceTranslatedZoneID | | keyword |
+| cef.extensions.sourceTranslatedZoneURI | The URI for the Translated Zone that the destination asset has been assigned to in ArcSight. | keyword |
+| cef.extensions.sourceUserId | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword |
+| cef.extensions.sourceUserName | Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field. | keyword |
+| cef.extensions.sourceUserPrivileges | The typical values are "Administrator", "User", and "Guest". It identifies the source user's privileges. In UNIX, for example, activity executed by the root user would be identified with "Administrator". | keyword |
+| cef.extensions.sourceZoneID | Identifies the source user by ID. This is the user associated with the source of the event. For example, in UNIX, the root user is generally associated with user ID 0. | keyword |
+| cef.extensions.sourceZoneURI | The URI for the Zone that the source asset has been assigned to in ArcSight. | keyword |
+| cef.extensions.startTime | The time when the activity the event referred to started. The format is MMM dd yyyy HH:mm:ss or milliseconds since epoch (Jan 1st 1970). | date |
+| cef.extensions.target | | keyword |
+| cef.extensions.transportProtocol | Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | keyword |
+| cef.extensions.type | 0 means base event, 1 means aggregated, 2 means correlation, and 3 means action. This field can be omitted for base events (type 0). | long |
+| cef.extensions.version | | keyword |
+| cef.forcepoint.virus_id | Virus ID | keyword |
+| cef.name | | keyword |
+| cef.severity | | keyword |
+| cef.version | | keyword |
+| checkpoint.app_risk | Application risk. | keyword |
+| checkpoint.app_severity | Application threat severity. | keyword |
+| checkpoint.app_sig_id | The signature ID which the application was detected by. | keyword |
+| checkpoint.auth_method | Password authentication protocol used. | keyword |
+| checkpoint.category | Category. | keyword |
+| checkpoint.confidence_level | Confidence level determined. | integer |
+| checkpoint.connectivity_state | Connectivity state. | keyword |
+| checkpoint.cookie | IKE cookie. | keyword |
+| checkpoint.dst_phone_number | Destination IP-Phone. | keyword |
+| checkpoint.email_control | Engine name. | keyword |
+| checkpoint.email_id | Internal email ID. | keyword |
+| checkpoint.email_recipients_num | Number of recipients. | long |
+| checkpoint.email_session_id | Internal email session ID. | keyword |
+| checkpoint.email_spool_id | Internal email spool ID. | keyword |
+| checkpoint.email_subject | Email subject. | keyword |
+| checkpoint.event_count | Number of events associated with the log. | long |
+| checkpoint.frequency | Scan frequency. | keyword |
+| checkpoint.icmp_code | ICMP code. | long |
+| checkpoint.icmp_type | ICMP type. | long |
+| checkpoint.identity_type | Identity type. | keyword |
+| checkpoint.incident_extension | Format of original data. | keyword |
+| checkpoint.integrity_av_invoke_type | Scan invoke type. | keyword |
+| checkpoint.malware_family | Malware family. | keyword |
+| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip |
+| checkpoint.performance_impact | Protection performance impact. | integer |
+| checkpoint.protection_id | Protection malware ID. | keyword |
+| checkpoint.protection_name | Specific signature name of the attack. | keyword |
+| checkpoint.protection_type | Type of protection used to detect the attack. | keyword |
+| checkpoint.scan_result | Scan result. | keyword |
+| checkpoint.sensor_mode | Sensor mode. | keyword |
+| checkpoint.severity | Threat severity. | keyword |
+| checkpoint.spyware_name | Spyware name. | keyword |
+| checkpoint.spyware_status | Spyware status. | keyword |
+| checkpoint.subs_exp | The expiration date of the subscription. | date |
+| checkpoint.tcp_flags | TCP packet flags. | keyword |
+| checkpoint.termination_reason | Termination reason. | keyword |
+| checkpoint.update_status | Update status. | keyword |
+| checkpoint.user_status | User response. | keyword |
+| checkpoint.uuid | External ID. | keyword |
+| checkpoint.virus_name | Virus name. | keyword |
+| checkpoint.voip_log_type | VoIP log types. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| destination.service.name | | keyword |
+| destination.user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| destination.user.group.name | Name of the group. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword |
+| email.subject | A brief summary of the topic of the message. | keyword |
+| email.subject.text | Multi-field of `email.subject`. | match_only_text |
+| email.to.address | The email address of recipient | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| file.group | Primary group name of the file. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.offset | Log offset | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| source.service.name | | keyword |
+| source.user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+
diff --git a/packages/cef/2.0.3/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json b/packages/cef/2.0.3/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json
new file mode 100755
index 0000000000..c44bda0cc2
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41.json
@@ -0,0 +1,93 @@
+{
+ "attributes": {
+ "description": "Overview of Microsoft DNS activity via ArcSight",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}"
+ },
+ "optionsJSON": "{\"darkTheme\":false}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"gridData\":{\"h\":16,\"i\":\"5\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":48},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"7\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"11\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"12\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"56b3b288-a0f1-416d-9d40-96a37c8484fd\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"d50cbece-4556-4421-bb06-fb015bfe7baa\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Sources by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"555cbeac-b098-4946-9498-6b700e745e8a\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"w\":24,\"x\":0,\"y\":72},\"panelIndex\":\"3cf2118b-5231-49f5-b685-0ff0e1f52c32\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"5231e15c-d374-46ca-9553-3308d723ded3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"8cdaae20-5dcc-4930-b105-802fc344fcb6\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destinations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"88700fdc-3a96-46b8-b51f-3839111eb6ec\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"w\":24,\"x\":24,\"y\":72},\"panelIndex\":\"07f92eca-2078-4aa6-8373-d27ca33595d6\",\"type\":\"map\",\"version\":\"8.0.0\"}]",
+ "refreshInterval": {
+ "pause": true,
+ "value": 0
+ },
+ "timeFrom": "now-24h",
+ "timeRestore": true,
+ "timeTo": "now",
+ "title": "[Logs CEF ArcSight] Microsoft DNS Overview",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-56428e01-0c47-4770-8ba4-9345a029ea41",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f",
+ "name": "1:panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-249e2737-b41f-4115-b303-88bc9d279655",
+ "name": "3:panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110",
+ "name": "5:panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3",
+ "name": "6:panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9",
+ "name": "7:panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d",
+ "name": "9:panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716",
+ "name": "11:panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76",
+ "name": "12:panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b",
+ "name": "13:panel_13",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0",
+ "name": "14:panel_14",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0",
+ "name": "15:panel_15",
+ "type": "visualization"
+ },
+ {
+ "id": "logs-*",
+ "name": "3cf2118b-5231-49f5-b685-0ff0e1f52c32:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "07f92eca-2078-4aa6-8373-d27ca33595d6:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json b/packages/cef/2.0.3/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json
new file mode 100755
index 0000000000..e740d26d0b
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9.json
@@ -0,0 +1,109 @@
+{
+ "attributes": {
+ "description": "Operating system activity from endpoints via ArcSight",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}"
+ },
+ "optionsJSON": "{\"darkTheme\":false}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Destination User Names\":\"#E24D42\",\"Event Types\":\"#EF843C\"},\"legendOpen\":true}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":28},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"4\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"4\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 55k\":\"rgb(255,255,204)\",\"110k - 165k\":\"rgb(254,225,135)\",\"165k - 220k\":\"rgb(254,201,101)\",\"220k - 275k\":\"rgb(254,171,73)\",\"275k - 330k\":\"rgb(253,141,60)\",\"330k - 385k\":\"rgb(252,91,46)\",\"385k - 440k\":\"rgb(237,47,34)\",\"440k - 495k\":\"rgb(212,16,32)\",\"495k - 550k\":\"rgb(176,0,38)\",\"55k - 110k\":\"rgb(255,241,170)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"5\",\"w\":24,\"x\":24,\"y\":28},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#447EBC\",\"/Failure\":\"#E24D42\",\"/Success\":\"#7EB26D\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":24,\"i\":\"9\",\"w\":24,\"x\":0,\"y\":40},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":40},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Users\":\"#E24D42\",\"Event Count\":\"#64B0C8\"}}},\"gridData\":{\"h\":8,\"i\":\"13\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":20,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":64},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":24,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":84},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":32,\"x\":0,\"y\":80},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":32,\"x\":0,\"y\":100},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":32,\"x\":0,\"y\":64},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"19\",\"w\":32,\"x\":0,\"y\":92},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+ "refreshInterval": {
+ "display": "Off",
+ "pause": false,
+ "value": 0
+ },
+ "timeFrom": "now-24h",
+ "timeRestore": true,
+ "timeTo": "now",
+ "title": "[Logs CEF ArcSight] Endpoint OS Activity Dashboard",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-9e352900-89c3-4c1b-863e-249e24d0dac9",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b",
+ "name": "3:panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50",
+ "name": "4:panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe",
+ "name": "5:panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1",
+ "name": "7:panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9",
+ "name": "8:panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048",
+ "name": "9:panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036",
+ "name": "10:panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76",
+ "name": "11:panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-76c088c3-486e-4420-8840-5ede667edffe",
+ "name": "12:panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00",
+ "name": "13:panel_13",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28",
+ "name": "14:panel_14",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409",
+ "name": "15:panel_15",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf",
+ "name": "16:panel_16",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1",
+ "name": "17:panel_17",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956",
+ "name": "18:panel_18",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586",
+ "name": "19:panel_19",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json b/packages/cef/2.0.3/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json
new file mode 100755
index 0000000000..3fa223db88
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b.json
@@ -0,0 +1,98 @@
+{
+ "attributes": {
+ "description": "Summary of ArcSight endpoint event data",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}"
+ },
+ "optionsJSON": "{\"darkTheme\":false}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":24,\"x\":24,\"y\":32},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":32},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6\",\"w\":24,\"x\":24,\"y\":44},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"8\",\"w\":24,\"x\":0,\"y\":44},\"panelIndex\":\"8\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"columns\":[\"cef.extensions.categoryDeviceGroup\",\"cef.extensions.categoryTechnique\",\"cef.extensions.categoryOutcome\",\"cef.extensions.categorySignificance\",\"cef.extensions.categoryObject\",\"cef.extensions.categoryBehavior\",\"cef.extensions.categoryDeviceType\"],\"enhancements\":{},\"sort\":[\"@timestamp\",\"desc\"]},\"gridData\":{\"h\":20,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":76},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"search\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"10\",\"w\":24,\"x\":24,\"y\":56},\"panelIndex\":\"10\",\"panelRefName\":\"panel_10\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Operating System\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":24,\"x\":0,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":20,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":56},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#629E51\",\"Anti-Virus\":\"#EAB839\",\"Database\":\"#629E51\",\"Host-based IDS/IPS\":\"#E0752D\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#BF1B00\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#64B0C8\"}}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":24,\"x\":24,\"y\":20},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"de084257-24da-4ea9-922e-a2d7565ebcd6\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"741ceaa6-5b51-4959-9935-c5961b12f539\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Event [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"ba850a09-c635-4855-b68b-de16dd200d6f\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":12,\"i\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"w\":24,\"x\":24,\"y\":64},\"panelIndex\":\"c9fd3ece-2bef-4cdc-9f83-ed689b35a17a\",\"type\":\"map\",\"version\":\"8.0.0\"}]",
+ "refreshInterval": {
+ "pause": true,
+ "value": 0
+ },
+ "timeFrom": "now-24h",
+ "timeRestore": true,
+ "timeTo": "now",
+ "title": "[Logs CEF ArcSight] Endpoint Overview Dashboard",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-9457ee67-895f-4b78-a543-268f9687a745",
+ "name": "1:panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60",
+ "name": "2:panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9",
+ "name": "3:panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703",
+ "name": "5:panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f",
+ "name": "6:panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350",
+ "name": "7:panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e",
+ "name": "8:panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "9:panel_9",
+ "type": "search"
+ },
+ {
+ "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960",
+ "name": "10:panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1",
+ "name": "11:panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830",
+ "name": "12:panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53",
+ "name": "14:panel_14",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76",
+ "name": "15:panel_15",
+ "type": "visualization"
+ },
+ {
+ "id": "logs-*",
+ "name": "c9fd3ece-2bef-4cdc-9f83-ed689b35a17a:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json b/packages/cef/2.0.3/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json
new file mode 100755
index 0000000000..153645a090
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619.json
@@ -0,0 +1,89 @@
+{
+ "attributes": {
+ "description": "Suspicious network activity overview via ArcSight",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}"
+ },
+ "optionsJSON": "{\"darkTheme\":false}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Destination Addresses\":\"#E0752D\",\"Destination Ports\":\"#E24D42\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"1\",\"w\":32,\"x\":0,\"y\":28},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"2\",\"w\":16,\"x\":0,\"y\":40},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"3\",\"w\":16,\"x\":16,\"y\":40},\"panelIndex\":\"3\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":32,\"y\":28},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":24,\"x\":0,\"y\":52},\"panelIndex\":\"12\",\"panelRefName\":\"panel_12\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"13\",\"w\":24,\"x\":24,\"y\":52},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":40},\"panelIndex\":\"14\",\"panelRefName\":\"panel_14\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"7.3.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 50\":\"rgb(255,255,204)\",\"100 - 200\":\"rgb(253,141,60)\",\"200 - 300\":\"rgb(227,27,28)\",\"300 - 400\":\"rgb(128,0,38)\",\"50 - 100\":\"rgb(254,217,118)\"}}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"7.3.0\"}]",
+ "refreshInterval": {
+ "display": "Off",
+ "pause": false,
+ "value": 0
+ },
+ "timeFrom": "now-24h",
+ "timeRestore": true,
+ "timeTo": "now",
+ "title": "[Logs CEF ArcSight] Network Suspicious Activity Dashboard",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-db1e1aca-279e-4ecc-b84e-fe58644f7619",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520",
+ "name": "1:panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1",
+ "name": "2:panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3",
+ "name": "3:panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d",
+ "name": "5:panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7",
+ "name": "9:panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45",
+ "name": "11:panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6",
+ "name": "12:panel_12",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb",
+ "name": "13:panel_13",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840",
+ "name": "14:panel_14",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76",
+ "name": "15:panel_15",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba",
+ "name": "16:panel_16",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db",
+ "name": "17:panel_17",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json b/packages/cef/2.0.3/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json
new file mode 100755
index 0000000000..9c26408568
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71.json
@@ -0,0 +1,113 @@
+{
+ "attributes": {
+ "description": "Network data overview via ArcSight",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cef.log\"},\"version\":true}"
+ },
+ "optionsJSON": "{\"darkTheme\":false}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"1\",\"w\":48,\"x\":0,\"y\":44},\"panelIndex\":\"1\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"2\",\"w\":48,\"x\":0,\"y\":68},\"panelIndex\":\"2\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"5\",\"w\":48,\"x\":0,\"y\":12},\"panelIndex\":\"5\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"6\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false}},\"gridData\":{\"h\":8,\"i\":\"7\",\"w\":40,\"x\":0,\"y\":4},\"panelIndex\":\"7\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":16,\"x\":0,\"y\":20},\"panelIndex\":\"9\",\"panelRefName\":\"panel_9\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"/Attempt\":\"#0A50A1\",\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}},\"gridData\":{\"h\":12,\"i\":\"11\",\"w\":16,\"x\":16,\"y\":20},\"panelIndex\":\"11\",\"panelRefName\":\"panel_11\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":12,\"i\":\"13\",\"w\":32,\"x\":0,\"y\":32},\"panelIndex\":\"13\",\"panelRefName\":\"panel_13\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"},\"legendOpen\":false}},\"gridData\":{\"h\":12,\"i\":\"15\",\"w\":16,\"x\":32,\"y\":32},\"panelIndex\":\"15\",\"panelRefName\":\"panel_15\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"colors\":{\"Anti-Virus\":\"#EF843C\",\"Content Security\":\"#7EB26D\",\"Firewall\":\"#E24D42\",\"Integrated Security\":\"#962D82\",\"Network-based IDS/IPS\":\"#1F78C1\",\"Operating System\":\"#1F78C1\",\"VPN\":\"#EAB839\"}}},\"gridData\":{\"h\":12,\"i\":\"16\",\"w\":16,\"x\":32,\"y\":20},\"panelIndex\":\"16\",\"panelRefName\":\"panel_16\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"17\",\"w\":48,\"x\":0,\"y\":52},\"panelIndex\":\"17\",\"panelRefName\":\"panel_17\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"gridData\":{\"h\":16,\"i\":\"18\",\"w\":24,\"x\":0,\"y\":76},\"panelIndex\":\"18\",\"panelRefName\":\"panel_18\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":24,\"x\":24,\"y\":76},\"panelIndex\":\"19\",\"panelRefName\":\"panel_19\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"20\",\"w\":8,\"x\":40,\"y\":4},\"panelIndex\":\"20\",\"panelRefName\":\"panel_20\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":4,\"i\":\"21\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"21\",\"panelRefName\":\"panel_21\",\"type\":\"visualization\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c6a1fd07-de0f-444b-8814-902cbf2d019a\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"c1643919-b9de-4588-826f-93710a159e2b\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Destination Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"destination.geo.location\\\",\\\"id\\\":\\\"5183bb72-a077-4cf0-8aba-561a15b012cf\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"w\":24,\"x\":0,\"y\":92},\"panelIndex\":\"49de47fb-1382-4009-89d2-b96a4161e12d\",\"type\":\"map\",\"version\":\"8.0.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"sourceDescriptor\\\":{\\\"type\\\":\\\"EMS_TMS\\\",\\\"isAutoSelect\\\":true,\\\"lightModeDefault\\\":\\\"road_map_desaturated\\\"},\\\"id\\\":\\\"c2329af2-2183-45cb-9f40-d0f2e984c5b3\\\",\\\"label\\\":null,\\\"minZoom\\\":0,\\\"maxZoom\\\":24,\\\"alpha\\\":1,\\\"visible\\\":true,\\\"style\\\":{\\\"type\\\":\\\"TILE\\\"},\\\"includeInFitToBounds\\\":true,\\\"type\\\":\\\"VECTOR_TILE\\\"},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"1fc250c2-4990-401e-b709-61e1f4824005\\\",\\\"includeInFitToBounds\\\":true,\\\"joins\\\":[],\\\"label\\\":\\\"Top Source Locations by Events [Logs CEF ArcSight]\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"applyForceRefresh\\\":true,\\\"applyGlobalQuery\\\":true,\\\"applyGlobalTime\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"e1eda4fd-94b9-4c31-9615-70334517a966\\\",\\\"indexPatternId\\\":\\\"logs-*\\\",\\\"metrics\\\":[{\\\"type\\\":\\\"count\\\"}],\\\"requestType\\\":\\\"point\\\",\\\"resolution\\\":\\\"MOST_FINE\\\",\\\"type\\\":\\\"ES_GEO_GRID\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"Yellow to Red\\\",\\\"colorCategory\\\":\\\"palette_0\\\",\\\"field\\\":{\\\"name\\\":\\\"doc_count\\\",\\\"origin\\\":\\\"source\\\"},\\\"fieldMetaOptions\\\":{\\\"isEnabled\\\":false,\\\"sigma\\\":3},\\\"type\\\":\\\"ORDINAL\\\"},\\\"type\\\":\\\"DYNAMIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#3d3d3d\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"zoom\\\":1.78,\\\"center\\\":{\\\"lon\\\":0,\\\"lat\\\":16.40767},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-24h\\\",\\\"to\\\":\\\"now\\\"},\\\"refreshConfig\\\":{\\\"isPaused\\\":true,\\\"interval\\\":0},\\\"query\\\":{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"},\\\"filters\\\":[],\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false,\\\"backgroundColor\\\":\\\"#ffffff\\\",\\\"disableInteractive\\\":false,\\\"disableTooltipControl\\\":false,\\\"hideToolbarOverlay\\\":false,\\\"hideLayerControl\\\":false,\\\"hideViewControl\\\":false,\\\"initialLocation\\\":\\\"LAST_SAVED_LOCATION\\\",\\\"fixedLocation\\\":{\\\"lat\\\":0,\\\"lon\\\":0,\\\"zoom\\\":2},\\\"browserLocation\\\":{\\\"zoom\\\":2},\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"showScaleControl\\\":false,\\\"showSpatialFilters\\\":true,\\\"showTimesliderToggleButton\\\":true,\\\"spatialFiltersAlpa\\\":0.3,\\\"spatialFiltersFillColor\\\":\\\"#DA8B45\\\",\\\"spatialFiltersLineColor\\\":\\\"#DA8B45\\\"}}\",\"references\":[],\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":true,\"mapBuffer\":{\"maxLat\":66.51326,\"maxLon\":90,\"minLat\":-66.51326,\"minLon\":-90},\"mapCenter\":{\"lat\":16.40767,\"lon\":0,\"zoom\":1.78},\"openTOCDetails\":[]},\"gridData\":{\"h\":24,\"i\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"w\":24,\"x\":24,\"y\":92},\"panelIndex\":\"9d097034-9ebb-4f53-ad39-e42e625b541c\",\"type\":\"map\",\"version\":\"8.0.0\"}]",
+ "refreshInterval": {
+ "pause": true,
+ "value": 0
+ },
+ "timeFrom": "now-24h",
+ "timeRestore": true,
+ "timeTo": "now",
+ "title": "[Logs CEF ArcSight] Network Overview Dashboard",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-dd0bc9af-2e89-4150-9b42-62517ea56b71",
+ "migrationVersion": {
+ "dashboard": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f5258de9-71f7-410f-b713-201007f77470",
+ "name": "1:panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f",
+ "name": "2:panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26",
+ "name": "5:panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921",
+ "name": "6:panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a",
+ "name": "7:panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60",
+ "name": "9:panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6",
+ "name": "11:panel_11",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb",
+ "name": "13:panel_13",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114",
+ "name": "15:panel_15",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042",
+ "name": "16:panel_16",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8",
+ "name": "17:panel_17",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d",
+ "name": "18:panel_18",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed",
+ "name": "19:panel_19",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db",
+ "name": "20:panel_20",
+ "type": "visualization"
+ },
+ {
+ "id": "cef-c394e650-b16c-407c-b305-bd409d69d433",
+ "name": "21:panel_21",
+ "type": "visualization"
+ },
+ {
+ "id": "logs-*",
+ "name": "49de47fb-1382-4009-89d2-b96a4161e12d:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9d097034-9ebb-4f53-ad39-e42e625b541c:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json b/packages/cef/2.0.3/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json
new file mode 100755
index 0000000000..cf5b2ee7e4
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/search/cef-5cede2d3-20fe-4140-add4-4c4f841b71a2.json
@@ -0,0 +1,39 @@
+{
+ "attributes": {
+ "columns": [
+ "cef.extensions.categoryDeviceGroup",
+ "cef.extensions.categoryTechnique",
+ "cef.extensions.categoryOutcome",
+ "cef.extensions.categorySignificance",
+ "cef.extensions.categoryObject",
+ "cef.extensions.categoryBehavior",
+ "cef.extensions.categoryDeviceType"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"}},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Endpoint Event Explorer [Logs CEF ArcSight]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json b/packages/cef/2.0.3/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json
new file mode 100755
index 0000000000..dad033d27d
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/search/cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8.json
@@ -0,0 +1,52 @@
+{
+ "attributes": {
+ "columns": [
+ "priority",
+ "message",
+ "source.ip",
+ "source.port",
+ "destination.ip",
+ "destination.port",
+ "network.application",
+ "message",
+ "cef.extensions.categoryBehavior",
+ "cef.extensions.categoryOutcome",
+ "cef.extensions.deviceAddress",
+ "cef.device.product",
+ "cef.device.vendor",
+ "cef.extensions.categoryDeviceGroup",
+ "cef.extensions.categoryDeviceType"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"query\",\"negate\":false,\"type\":\"custom\",\"value\":\"{\\\"terms\\\":{\\\"cef.extensions.categoryDeviceGroup\\\":[\\\"/VPN\\\",\\\"/IDS/Network\\\",\\\"/Firewall\\\"]}}\"},\"query\":{\"terms\":{\"cef.extensions.categoryDeviceGroup\":[\"/VPN\",\"/IDS/Network\",\"/Firewall\"]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Network Events [Logs CEF ArcSight]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json b/packages/cef/2.0.3/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json
new file mode 100755
index 0000000000..9082a5e861
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/search/cef-e6cf2383-71f4-4db1-a791-1a7d4f110194.json
@@ -0,0 +1,44 @@
+{
+ "attributes": {
+ "columns": [
+ "cef.device.vendor",
+ "cef.device.product",
+ "message",
+ "cef.device.event_class_id",
+ "cef.extensions.deviceEventCategory",
+ "source.user.name",
+ "destination.user.name",
+ "destination.domain",
+ "cef.extensions.categoryBehavior",
+ "cef.extensions.categoryOutcome",
+ "cef.extensions.sourceNtDomain",
+ "cef.extensions.destinationNtDomain"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"}},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Endpoint - OS Events [Logs CEF ArcSight]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json b/packages/cef/2.0.3/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json
new file mode 100755
index 0000000000..74d6b3c820
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/search/cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3.json
@@ -0,0 +1,55 @@
+{
+ "attributes": {
+ "columns": [
+ "cef.device.vendor",
+ "cef.device.product",
+ "cef.extensions.categoryBehavior",
+ "cef.extensions.categoryOutcome",
+ "destination.ip",
+ "destination.port",
+ "destination.domain",
+ "cef.device.event_class_id",
+ "cef.extensions.deviceCustomString1Label",
+ "cef.extensions.deviceCustomString1",
+ "cef.extensions.deviceCustomString2Label",
+ "cef.extensions.deviceCustomString2",
+ "cef.extension.deviceCustomString3Label",
+ "cef.extension.deviceCustomString3",
+ "cef.extension.deviceCustomString4Label",
+ "cef.extension.deviceCustomString4",
+ "cef.extensions.deviceEventCategory",
+ "event.severity",
+ "source.ip",
+ "source.port",
+ "network.transport",
+ "source.bytes",
+ "url.original"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"}},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Microsoft DNS Events [Logs CEF ArcSight]",
+ "version": 1
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "migrationVersion": {
+ "search": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json b/packages/cef/2.0.3/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json
new file mode 100755
index 0000000000..f7372f962e
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-013ff153-7b80-490b-8fec-6e56cba785ed.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 20 Source Countries [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 20 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-013ff153-7b80-490b-8fec-6e56cba785ed",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json b/packages/cef/2.0.3/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json
new file mode 100755
index 0000000000..e4e3fbc58d
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Device Metrics Overview [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-01c3618c-9962-4fe9-b9c5-f73dfecc6eba",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json b/packages/cef/2.0.3/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json
new file mode 100755
index 0000000000..bec9522083
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-0abfc226-535b-45a2-b534-e9bc87e5584f.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Bandwidth Utilization [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"kuery\",\"query\":\"\"},\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"d27f09dc-b07e-493f-a223-a85033ad6548\",\"label\":\"Inbound\",\"line_width\":1,\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"9ce9ec3a-2f11-4935-91b2-531494d2a619\",\"type\":\"sum\"}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_order_by\":\"_count\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"formatter\":\"bytes\",\"id\":\"b1ef2c75-5916-469d-8790-5b213367a5a0\",\"label\":\"Outbound\",\"line_width\":1,\"metrics\":[{\"field\":\"destination.bytes\",\"id\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"type\":\"sum\"},{\"id\":\"2a6b00bf-1658-4d02-b4e2-61ad6e4c3a9b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"11b1852f-9b62-4e96-8128-522e6c5bf16d\",\"id\":\"c57067f2-2927-41d8-97f4-9f47b3b3bcae\",\"name\":\"outbound\"}]}],\"override_index_pattern\":1,\"point_size\":1,\"seperate_axis\":0,\"series_drop_last_bucket\":1,\"series_index_pattern\":\"logs-*\",\"series_time_field\":\"@timestamp\",\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Bandwidth Utilization [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-0abfc226-535b-45a2-b534-e9bc87e5584f",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json b/packages/cef/2.0.3/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json
new file mode 100755
index 0000000000..702933c209
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Outcomes [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"id\":\"74716d29-91c6-4095-bc7d-7f6700f12b1f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"hide_in_legend\":0,\"id\":\"932c5de4-f841-4f27-99e4-60d95d3aa16c\",\"label\":\"Event Outcomes\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"4c263b6d-8117-43c6-b83f-5c4145f43cfc\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"94371b84-a7aa-4824-b4d1-217ecbe725a5\",\"label\":\"Failure\"},{\"color\":\"rgba(104,188,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"31564794-9278-4f2e-bb20-557f5cfbea79\",\"label\":\"Success\"},{\"color\":\"rgba(251,158,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"10c0f919-0853-41b5-94b4-2e39932e7aa0\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,182,204,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"c9eca9d0-c2e0-45e6-a3ce-f158c40fdd74\",\"label\":\"Event Count\",\"line_width\":1,\"metrics\":[{\"id\":\"6d8513ca-cc72-4b27-91b6-6b689558cdcb\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcomes [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-0f4028b2-3dc2-4cb6-80d8-285c847a02a1",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json b/packages/cef/2.0.3/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json
new file mode 100755
index 0000000000..bba67eb563
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-118af639-1f37-4541-a960-5a3ff0613e0e.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Outcomes by Device Type [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"cef.extensions.categoryDeviceType: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-118af639-1f37-4541-a960-5a3ff0613e0e",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json b/packages/cef/2.0.3/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json
new file mode 100755
index 0000000000..1f0e2fde5c
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-1204cf27-05e0-4905-bfa1-688aaaaaa840.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Destination Ports [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Ports [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-1204cf27-05e0-4905-bfa1-688aaaaaa840",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json b/packages/cef/2.0.3/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json
new file mode 100755
index 0000000000..ec2f257b88
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Endpoint OS Metrics Overview [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Outcomes\",\"field\":\"cef.extensions.categoryOutcome\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"20\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint OS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-158d809a-89db-4ffa-88a1-eb5c4bf58d50",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json b/packages/cef/2.0.3/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json
new file mode 100755
index 0000000000..a3f9d219f4
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Direction [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"be556a57-cd1c-496c-8714-0bd210947c85\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"filter\":{\"language\":\"lucene\",\"query\":\"device\"},\"formatter\":\"number\",\"id\":\"9aae7344-9de9-4378-b21d-296cb964f93b\",\"label\":\"Inbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"1cd0b964-45cf-408e-a7e4-e26955f8a3b0\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"id\":\"f860f6e0-fbd4-4949-8046-6300322dfe84\",\"label\":\"Inbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"#68BC00\",\"fill\":\"0.2\",\"formatter\":\"number\",\"id\":\"ed1abe18-e01b-4202-9db4-06fda10692e0\",\"label\":\"Outbound Requests\",\"line_width\":1,\"metrics\":[{\"id\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"type\":\"count\"},{\"id\":\"6bc37118-ddac-41ec-85b3-9db7e1b3636b\",\"script\":\"params.outbound \\u003e 0 ? params.outbound * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"cfbcfc79-394b-4ec0-a2c2-7a47177d6469\",\"id\":\"f73f4f22-03d5-446a-b031-04eee531e3cc\",\"name\":\"outbound\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(211,49,21,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"id\":\"a9c50e1b-8f11-4bc2-9077-bb8870ed0b62\",\"label\":\"Outbound Requests\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Direction [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-16aef3e9-e33b-4bab-b32f-d8c5b1263ac0",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json b/packages/cef/2.0.3/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json
new file mode 100755
index 0000000000..db7522dd38
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-1b521f56-8089-433f-88f7-56aba867e07d.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Destinations by Events [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destinations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}"
+ },
+ "id": "cef-1b521f56-8089-433f-88f7-56aba867e07d",
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json b/packages/cef/2.0.3/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json
new file mode 100755
index 0000000000..6c04dc9028
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Destinations by Size [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Destinations by Size [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-1b9cc5b7-7747-49de-96b1-a4bc7f675716",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json b/packages/cef/2.0.3/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json
new file mode 100755
index 0000000000..3b90350ff6
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-249e2737-b41f-4115-b303-88bc9d279655.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "DNS Metrics Overview [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Threads\",\"field\":\"cef.extensions.deviceCustomString1\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OpCodes\",\"field\":\"cef.extensions.deviceCustomString2\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Activity Types\",\"field\":\"cef.device.event_class_id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"32\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"type\":\"gauge\"},\"title\":\"DNS Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-249e2737-b41f-4115-b303-88bc9d279655",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json b/packages/cef/2.0.3/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json
new file mode 100755
index 0000000000..401dfbed0a
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Sources by Size [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"P-11\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-13\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-2\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-3\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}},\"P-4\":{\"mapCenter\":[-0.17578097424708533,0],\"mapZoom\":0},\"P-5\":{\"vis\":{\"defaultColors\":{\"0 - 18,000\":\"rgb(247,251,255)\",\"108,000 - 126,000\":\"rgb(74,152,201)\",\"126,000 - 144,000\":\"rgb(46,126,188)\",\"144,000 - 162,000\":\"rgb(23,100,171)\",\"162,000 - 180,000\":\"rgb(8,74,145)\",\"18,000 - 36,000\":\"rgb(227,238,249)\",\"36,000 - 54,000\":\"rgb(208,225,242)\",\"54,000 - 72,000\":\"rgb(182,212,233)\",\"72,000 - 90,000\":\"rgb(148,196,223)\",\"90,000 - 108,000\":\"rgb(107,174,214)\"},\"legendOpen\":false}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Sources by Size [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-26a65f68-d7a6-4b47-befc-c5a6819bb91b",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json b/packages/cef/2.0.3/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json
new file mode 100755
index 0000000000..1697d134c5
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-2726382e-638a-4dcc-94fc-0ffdc0f92048.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 15 Event Types by Events [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"perPage\":15,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 15 Event Types by Events [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-2726382e-638a-4dcc-94fc-0ffdc0f92048",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json b/packages/cef/2.0.3/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json
new file mode 100755
index 0000000000..c52b647746
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-295986d4-d2ea-4541-8e82-7dc95c0cd830.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Source Countries by Event [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":35},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Event [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-295986d4-d2ea-4541-8e82-7dc95c0cd830",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json b/packages/cef/2.0.3/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json
new file mode 100755
index 0000000000..63e38a3cff
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-316fdc75-7215-4c6b-8e1b-70a097b34e28.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Sources by Destinations [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Host\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Host\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Sources by Destinations [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-316fdc75-7215-4c6b-8e1b-70a097b34e28",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json b/packages/cef/2.0.3/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json
new file mode 100755
index 0000000000..5ec0797be6
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Network - Event Throughput [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"8d4596c5-49ad-429b-af54-5451b1c2e8d4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"type\":\"cumulative_sum\"},{\"field\":\"ca3a65d0-9f3d-42a9-9f4e-16f9e24cba19\",\"id\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"6db67bc1-7fff-47e7-a931-f797b1f76732\",\"gamma\":0.3,\"id\":\"92bc1447-2b30-498c-ae8a-c67904fc82b2\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Network - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-33747d52-ec4c-4d91-86d8-fbdf9b9c82db",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json b/packages/cef/2.0.3/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json
new file mode 100755
index 0000000000..563c47bef0
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Device Type Breakdown [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Type Breakdown [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-3c19f138-2ab3-4ecb-bb1b-86fb90158042",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json b/packages/cef/2.0.3/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json
new file mode 100755
index 0000000000..a2085e9b19
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-499f50ba-2f84-4f7c-9021-73a4efc47921.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Outcome [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"bar_color\":null,\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\",\"value\":0}],\"drilldown_url\":\"\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"(cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\") AND _exists_:cef.extensions.categoryOutcome\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"c43af7e6-3f06-48a4-a7c3-7ba8bd6214f9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"4c7aac7d-2749-41b6-8136-40dc8636a7e7\",\"label\":\"Firewall\"}],\"split_mode\":\"filter\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"1\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Event Outcome\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,188,0,0.35)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Success\\\"\"},\"id\":\"cb1ae397-13a0-4b6f-a848-bcdc96870f05\",\"label\":\"Success\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Failure\\\"\"},\"id\":\"ef021c15-1b95-4334-bc3c-e2950e9b0f6f\",\"label\":\"Failure\"},{\"color\":\"rgba(0,156,224,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryOutcome:\\\"/Attempt\\\"\"},\"id\":\"2ff1e859-b178-4824-a0f2-69a115932b98\",\"label\":\"Attempt\"}],\"split_mode\":\"filters\",\"stacked\":\"stacked\",\"terms_field\":\"cef.extensions.categoryOutcome\",\"terms_size\":\"3\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Outcome [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-499f50ba-2f84-4f7c-9021-73a4efc47921",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json b/packages/cef/2.0.3/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json
new file mode 100755
index 0000000000..0614970e4b
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Destinations [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Hosts\",\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destinations [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-4a7c10c7-4abd-47b4-b4c3-dee33377fbdf",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json b/packages/cef/2.0.3/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json
new file mode 100755
index 0000000000..b0e9b3c257
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Sources [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Hosts\",\"field\":\"source.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Sources [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-4e25b5ce-53c3-46fc-b5e5-71d3c52f1956",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json b/packages/cef/2.0.3/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json
new file mode 100755
index 0000000000..86b518c893
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Source Locations by Events [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Source Location\",\"field\":\"source.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Source Locations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}"
+ },
+ "id": "cef-4fccee0c-7193-4aa8-919f-0b0b0a16d013",
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json b/packages/cef/2.0.3/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json
new file mode 100755
index 0000000000..5c7272c0cb
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Destinations by Traffic Size [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 18k\":\"rgb(247,251,255)\",\"108k - 126k\":\"rgb(74,152,201)\",\"126k - 144k\":\"rgb(46,126,188)\",\"144k - 162k\":\"rgb(23,100,171)\",\"162k - 180k\":\"rgb(8,74,145)\",\"18k - 36k\":\"rgb(227,238,249)\",\"36k - 54k\":\"rgb(208,225,242)\",\"54k - 72k\":\"rgb(182,212,233)\",\"72k - 90k\":\"rgb(148,196,223)\",\"90k - 108k\":\"rgb(107,174,214)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bytes\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"label\":\"Inbound\"},{\"input\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"label\":\"Outbound\"}]},\"schema\":\"segment\",\"type\":\"filters\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.domain\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Blues\",\"colorsNumber\":10,\"colorsRange\":[{\"from\":0,\"to\":null}],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"top\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top Destinations by Traffic Size [Logs CEF ArcSight]\",\"type\":\"heatmap\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-566d8b4e-ec5c-4b8b-bd68-3cc9cb236110",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json b/packages/cef/2.0.3/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json
new file mode 100755
index 0000000000..5d58895fd2
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Sources by Events [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"source.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Sources by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}"
+ },
+ "id": "cef-581a296e-e34a-48f1-93e4-fc4bdadfc68d",
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json b/packages/cef/2.0.3/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json
new file mode 100755
index 0000000000..bb3e848ce7
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-589fec8c-336e-4122-8fef-a450bddf84f6.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Source Addresses [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-589fec8c-336e-4122-8fef-a450bddf84f6",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json b/packages/cef/2.0.3/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json
new file mode 100755
index 0000000000..38ac936b78
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-59ad829b-12b8-4256-95a5-e7078eda628b.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Source Users by Event Type and Destination Users [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Types\",\"field\":\"cef.extensions.categoryBehavior\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination User Names\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Users\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Event Types\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination User Names\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Source Users by Event Type and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-59ad829b-12b8-4256-95a5-e7078eda628b",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json b/packages/cef/2.0.3/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json
new file mode 100755
index 0000000000..558660d19f
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Outcomes by User Names [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"/Informational\":\"#7EB26D\",\"/Informational/Warning\":\"#EF843C\",\"/Success\":\"#64B0C8\",\"Anti-Virus\":\"#B7DBAB\",\"Host-based IDS/IPS\":\"#629E51\",\"Log Consolidator\":\"#E0F9D7\",\"Operating System\":\"#3F6833\",\"Recon\":\"#BF1B00\",\"Security Mangement\":\"#CFFAFF\"},\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Outcomes by User Names [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-5bf6e4dc-4273-4e1e-a803-04347eebeb53",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json b/packages/cef/2.0.3/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json
new file mode 100755
index 0000000000..0a393d6652
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Events by Source and Destination Users [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Timestamp\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Timestamp\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Event Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Source Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"},{\"data\":{\"id\":\"4\",\"label\":\"Destination Users\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"title\":\"Events by Source and Destination Users [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-5f187dc8-aa7e-4f91-a2d8-1186ce254d00",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json b/packages/cef/2.0.3/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json
new file mode 100755
index 0000000000..cc03e710d3
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Source Users by Destination Users [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"bottom\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 10 Source Users by Destination Users [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-6437e9bb-9ed1-4e2d-bb10-e63ccd35c409",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json b/packages/cef/2.0.3/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json
new file mode 100755
index 0000000000..834908bc67
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-677891a1-90c4-4273-b126-f0e54689bd76.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}"
+ },
+ "title": " Dashboard Navigation [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-677891a1-90c4-4273-b126-f0e54689bd76",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json b/packages/cef/2.0.3/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json
new file mode 100755
index 0000000000..9518a579c1
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-718b074e-3dd1-4d03-ba11-7f869cdcd703.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Device [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"fd1ffeb6-678e-4163-9421-6a164fd59048\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(254,37,37,1)\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"6a10f77d-4e26-4b27-9c19-f1b0029b075b\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"845b9164-65f4-4599-b9cc-8d91b6ba8d83\",\"gamma\":0.3,\"id\":\"59675e84-1a8e-41df-9f63-875109bd795a\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" \"},\"id\":\"d9a580c3-eb83-4d20-a391-0934d7df8837\",\"label\":\"Operating System\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\" cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\"\"},\"id\":\"9ce8be14-6191-4c9a-a679-e3992fdab8d2\",\"label\":\"Host IDS\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"id\":\"262ecd54-a042-4bfb-b489-d7db8431c36e\",\"label\":\"Application\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"92e98952-8e25-472f-abb5-05a7d9b830ea\",\"label\":\"Moving Average by Device HostNames\",\"line_width\":1,\"metrics\":[{\"id\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"3df841a9-5997-4a1a-ad8f-69620d23e65b\",\"gamma\":0.3,\"id\":\"9765367a-0fc2-45ba-88a8-e87991210edd\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-718b074e-3dd1-4d03-ba11-7f869cdcd703",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json b/packages/cef/2.0.3/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json
new file mode 100755
index 0000000000..c978cbecff
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-7454c034-c5f3-48fe-8fce-ef4385c80350.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Endpoint Metrics Overview [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Port\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Endpoint Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-7454c034-c5f3-48fe-8fce-ef4385c80350",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json b/packages/cef/2.0.3/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json
new file mode 100755
index 0000000000..dc2ddd1c89
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 5 Source Countries [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 5 Source Countries [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-74d2c072-6dfd-4249-8e63-dc7b0cf3c960",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json b/packages/cef/2.0.3/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json
new file mode 100755
index 0000000000..09e0d6ff6a
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Event Types [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":50,\"minFontSize\":12,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Event Types [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-759e8dc3-0fdb-4cb6-ba47-87a2e2ff8df3",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json b/packages/cef/2.0.3/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json
new file mode 100755
index 0000000000..7ba2b39a50
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-76c088c3-486e-4420-8840-5ede667edffe.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Endpoint - OS Average EPS [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"ce9549a0-3af0-4070-b169-4b6d145d4c39\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"94161c6c-4f48-4beb-9d78-f79f29c02a34\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"type\":\"cumulative_sum\"},{\"field\":\"89f8286e-4aec-4cb4-83ad-b139692edf3d\",\"id\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"1df39e5f-3e98-4ed7-ab08-47f3ca2ee915\",\"gamma\":0.3,\"id\":\"f46a6e6e-444f-4c7e-b5eb-e1a59568f2eb\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"offset_time\":\"1m\",\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint - OS Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-76c088c3-486e-4420-8840-5ede667edffe",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json b/packages/cef/2.0.3/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json
new file mode 100755
index 0000000000..fa5dcd2adc
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-77ee0e91-010b-4897-b483-7e9a907d2afe.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Behaviors by Outcome [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 9,000\":\"rgb(255,255,204)\",\"18,000 - 27,000\":\"rgb(254,225,135)\",\"27,000 - 36,000\":\"rgb(254,201,101)\",\"36,000 - 45,000\":\"rgb(254,171,73)\",\"45,000 - 54,000\":\"rgb(253,141,60)\",\"54,000 - 63,000\":\"rgb(252,91,46)\",\"63,000 - 72,000\":\"rgb(237,47,34)\",\"72,000 - 81,000\":\"rgb(212,16,32)\",\"81,000 - 90,000\":\"rgb(176,0,38)\",\"9,000 - 18,000\":\"rgb(255,241,170)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":10,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":false,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-77ee0e91-010b-4897-b483-7e9a907d2afe",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json b/packages/cef/2.0.3/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json
new file mode 100755
index 0000000000..86943ae981
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "DNS - Event Throughput [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color_rules\":[{\"id\":\"3eadd451-5033-423f-88e3-814cc5e50b50\"}],\"bar_color_rules\":[{\"id\":\"fa374805-d1ca-4261-b723-9b482a7dd43a\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"gauge_color_rules\":[{\"gauge\":null,\"id\":\"4d957654-cc7e-4ef3-8b29-61c0aeadd51a\",\"value\":0}],\"gauge_inner_width\":10,\"gauge_max\":\"\",\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"73968651-c41e-473e-a153-a025f49d1a1b\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"90d7621e-3265-4fe8-8882-8df9605ea659\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"type\":\"count\"},{\"field\":\"ba1830b9-9ce3-4bf1-8f4d-f7478b7f1bba\",\"id\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"type\":\"cumulative_sum\"},{\"field\":\"cf3e6b1c-4136-4868-913e-0e82d88a8c9c\",\"id\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"0e407985-9ae4-4c1f-bb0e-16cd9bef7611\",\"gamma\":0.3,\"id\":\"48026f85-83c8-40e6-aff4-71f3bd6c77c9\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"DNS - Event Throughput [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-7e2b0659-0760-4182-8b29-3ee69f26bc6f",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json b/packages/cef/2.0.3/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json
new file mode 100755
index 0000000000..899b95824b
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 5 Sources by Destination Addresses [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Addresses [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-82f3fae3-1189-4f04-8ea5-47fde1d2e7b1",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json b/packages/cef/2.0.3/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json
new file mode 100755
index 0000000000..34d704fef6
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-86bd5f13-ca6b-43fa-b209-54e7460344bb.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Destination Addresses [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Addresses [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-86bd5f13-ca6b-43fa-b209-54e7460344bb",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json b/packages/cef/2.0.3/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json
new file mode 100755
index 0000000000..dd63b9809f
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-89998099-9a39-44cf-beba-5b97f0524cf9.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Outcomes Breakdown [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"/Attempt\":\"#3F2B5B\",\"/Failure\":\"#BF1B00\"},\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Time\",\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Time\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"area\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcomes Breakdown [Logs CEF ArcSight]\",\"type\":\"area\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-89998099-9a39-44cf-beba-5b97f0524cf9",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json b/packages/cef/2.0.3/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json
new file mode 100755
index 0000000000..08b966f09b
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-8b31af8b-522e-41fe-b9d6-9a3451b54108.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Destination Locations by Events [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"customLabel\":\"Destination Location\",\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destination Locations by Events [Logs CEF ArcSight]\",\"type\":\"tile_map\"}"
+ },
+ "id": "cef-8b31af8b-522e-41fe-b9d6-9a3451b54108",
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json b/packages/cef/2.0.3/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json
new file mode 100755
index 0000000000..1f8c398abc
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-8cd00d20-957d-4663-be4d-ea80b1609586.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Source Users [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Users\",\"field\":\"source.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Source Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-8cd00d20-957d-4663-be4d-ea80b1609586",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json b/packages/cef/2.0.3/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json
new file mode 100755
index 0000000000..f4f5f6eadc
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-8f6075c5-f525-4173-92a4-3a56e96e362d.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Source Countries by Events [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Events\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Country\",\"field\":\"source.geo.country_iso_code\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Source Countries by Events [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-8f6075c5-f525-4173-92a4-3a56e96e362d",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json b/packages/cef/2.0.3/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json
new file mode 100755
index 0000000000..ab180b299a
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-92aecea0-a632-4a55-bb56-50e4cdaca036.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 5 Vendors by Product [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"OS Vendor\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"OS Product\",\"field\":\"cef.device.product\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 5 Vendors by Product [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-92aecea0-a632-4a55-bb56-50e4cdaca036",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json b/packages/cef/2.0.3/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json
new file mode 100755
index 0000000000..3da6c90cb1
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-9457ee67-895f-4b78-a543-268f9687a745.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Endpoint Average EPS [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"85a1c642-9781-430d-b84b-b28cb2a42fb4\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Operating System\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Host\\\" OR cef.extensions.categoryDeviceGroup:\\\"/Application\\\"\"},\"gauge_color_rules\":[{\"id\":\"03a2fd72-fc9c-4582-9133-20af36217180\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"hide_last_value_indicator\":true,\"id\":\"b7a85957-123e-4e25-9e8e-ff7992c9b2b9\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"b4373ffd-9660-4206-afd6-d4867ac7dbdf\",\"label\":\"Event Throughput\",\"line_width\":1,\"metrics\":[{\"id\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"type\":\"count\"},{\"field\":\"b1a48389-d799-4eba-8b98-7ee8ef0bb440\",\"id\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"type\":\"cumulative_sum\"},{\"field\":\"7c5c44cc-17bd-4206-a100-b8996cd3d11a\",\"id\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"type\":\"derivative\",\"unit\":\"1s\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"215c5225-5368-40e6-8fcd-2b0026babba0\",\"gamma\":0.3,\"id\":\"f4dfe09a-e397-4287-ab99-3206516cded3\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"value_template\":\"{{value}} / s\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"gauge\",\"use_kibana_indexes\":false},\"title\":\"Endpoint Average EPS [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-9457ee67-895f-4b78-a543-268f9687a745",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json b/packages/cef/2.0.3/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json
new file mode 100755
index 0000000000..001000873c
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Severity [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"bar_color_rules\":[{\"id\":\"0ca18a89-9c81-4bee-835a-85e6103aec37\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"hide_last_value_indicator\":true,\"id\":\"c39a76e5-f613-41a9-8335-c442747791e0\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"0.0[0]a\",\"id\":\"da3b92b4-2c24-473b-9102-fb5a343a96d9\",\"label\":\"Event by Severities\",\"line_width\":1,\"metrics\":[{\"id\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"type\":\"count\"},{\"field\":\"0d189776-3f7c-4a92-95b1-73c379a341fc\",\"id\":\"1b1c931c-a09b-4980-af81-6f9c3db56401\",\"sigma\":\"\",\"type\":\"sum_bucket\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(104,204,202,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Low\\\" OR severity:\\\"0\\\"\"},\"id\":\"ebe970ac-5cc9-4c4a-af60-82affafc667c\",\"label\":\"LOW\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Medium\\\"\"},\"id\":\"0c4ff16a-b53d-4ce4-af76-d6b74d8788db\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"High\\\"\"},\"id\":\"e142c55b-6ee5-416a-8bd3-d10398044864\",\"label\":\"HIGH\"},{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"severity:\\\"Very-High\\\"\"},\"id\":\"4b05b562-c419-4214-b814-d4c242251521\",\"label\":\"VERY HIGH\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"top_n\",\"use_kibana_indexes\":false},\"title\":\"Events by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-9bef4db9-a8b2-4be8-b2b0-6ea02fab424d",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json b/packages/cef/2.0.3/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json
new file mode 100755
index 0000000000..8ec3a53f1f
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-a729c249-8d34-4eb1-bbb0-5d25cf224114.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Devices by Outcome [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0% - 17%\":\"rgb(255,255,204)\",\"17% - 34%\":\"rgb(255,230,146)\",\"34% - 50%\":\"rgb(254,191,90)\",\"50% - 67%\":\"rgb(253,141,60)\",\"67% - 84%\":\"rgb(244,61,37)\",\"84% - 100%\":\"rgb(202,8,35)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device Host Names\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"colorsNumber\":6,\"colorsRange\":[],\"enableHover\":true,\"invertColors\":false,\"legendPosition\":\"right\",\"percentageMode\":true,\"setColorRange\":false,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"color\":\"#555\",\"rotate\":0,\"show\":false},\"scale\":{\"defaultYExtents\":false,\"type\":\"linear\"},\"show\":false,\"type\":\"value\"}]},\"title\":\"Top 10 Devices by Outcome [Logs CEF ArcSight]\",\"type\":\"heatmap\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-a729c249-8d34-4eb1-bbb0-5d25cf224114",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json b/packages/cef/2.0.3/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json
new file mode 100755
index 0000000000..a5448711e4
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Source [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"0c929603-fc92-4ebc-a963-fe2795417d89\",\"label\":\"Firewall Events\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\"\"},\"id\":\"7798827b-87ab-436b-9e62-9fe36143eb9b\",\"label\":\"Intrusion Detection Events\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"id\":\"490f7ad7-8218-45f9-85a9-a4dd9ed7da13\",\"label\":\"VPN\"}],\"split_mode\":\"filters\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Moving Average by Device Hosts\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"observer.hostname\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-a97e3628-022b-46cf-8f29-a73cf9bb4e26",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json b/packages/cef/2.0.3/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json
new file mode 100755
index 0000000000..42a376cff4
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-aaa80503-6d96-4a33-806f-b8a10aefe696.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Destination Locations by Event [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"autoPrecision\":true,\"field\":\"destination.geo.location\",\"precision\":2,\"useGeocentroid\":true},\"schema\":\"segment\",\"type\":\"geohash_grid\"}],\"listeners\":{},\"params\":{\"addTooltip\":true,\"heatBlur\":15,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatNormalizeData\":true,\"heatRadius\":25,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Shaded Circle Markers\",\"mapZoom\":2,\"wms\":{\"enabled\":false,\"options\":{\"attribution\":\"Maps provided by USGS\",\"format\":\"image/png\",\"layers\":\"0\",\"styles\":\"\",\"transparent\":true,\"version\":\"1.3.0\"},\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\"}},\"title\":\"Top Destination Locations by Event [Logs CEF ArcSight]\",\"type\":\"tile_map\"}"
+ },
+ "id": "cef-aaa80503-6d96-4a33-806f-b8a10aefe696",
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json b/packages/cef/2.0.3/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json
new file mode 100755
index 0000000000..71eae19918
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-acc915fe-b971-4795-9040-3fbfdf62abe1.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Destination Users [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Users\",\"field\":\"destination.user.name\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":60,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Users [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-acc915fe-b971-4795-9040-3fbfdf62abe1",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json b/packages/cef/2.0.3/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json
new file mode 100755
index 0000000000..8a888d067a
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Outcome by Device Type [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-b1002b5c-08fc-4bbe-b9a0-6243a8637e60",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json b/packages/cef/2.0.3/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json
new file mode 100755
index 0000000000..6601533058
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-c394e650-b16c-407c-b305-bd409d69d433.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\"}}}"
+ },
+ "title": " Dashboard Navigation [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"markdown\":\"[Network Overview](#/dashboard/cef-dd0bc9af-2e89-4150-9b42-62517ea56b71) | [Network Suspicious Activity](#/dashboard/cef-db1e1aca-279e-4ecc-b84e-fe58644f7619) | [Endpoint Overview](#dashboard/cef-c10ce1cf-f6b8-4de4-8715-2cb5f6770b3b) | [Endpoint OS Activity](#/dashboard/cef-9e352900-89c3-4c1b-863e-249e24d0dac9) | [Microsoft DNS Overview](#/dashboard/cef-56428e01-0c47-4770-8ba4-9345a029ea41)\"},\"title\":\" Dashboard Navigation [Logs CEF ArcSight]\",\"type\":\"markdown\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-c394e650-b16c-407c-b305-bd409d69d433",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json b/packages/cef/2.0.3/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json
new file mode 100755
index 0000000000..4860454ee5
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Destination Port [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":18,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\"},\"title\":\"Top 10 Destination Port [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-c5120e27-1f8c-41e3-83ee-78ec4d470c2f",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json b/packages/cef/2.0.3/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json
new file mode 100755
index 0000000000..bf65f0baac
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-d02dd523-ce91-40e9-9209-83797f80ed45.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Source Addresses [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"a0bf5a1d-8ebf-49d4-a347-738a6ce20562\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"gauge_color_rules\":[{\"id\":\"42f84a0a-ee13-4ca8-b61d-3de482ae4ab0\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\" \"},\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"117fde19-e227-4fcb-8019-e82e6677c340\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostmessage\",\"terms_order_by\":null,\"value_template\":\"{{value}}\"},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(104,188,0,1)\",\"fill\":\"0.5\",\"formatter\":\"number\",\"id\":\"3ffe652e-43c2-4a1d-ad8a-f7ab10f09f2b\",\"label\":\"Top Source Addresses\",\"line_width\":\"0\",\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"b753ad38-c3ed-4463-8f6d-176f4d477897\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"source.ip\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Source Addresses [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-d02dd523-ce91-40e9-9209-83797f80ed45",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json b/packages/cef/2.0.3/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json
new file mode 100755
index 0000000000..f56ace942b
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Device Metrics Overview [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"8\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Devices\",\"field\":\"observer.hostname\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Sources\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destinations\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"7\",\"params\":{\"customLabel\":\"Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":false,\"addTooltip\":true,\"fontSize\":\"30\",\"gauge\":{\"autoExtend\":false,\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":100}],\"gaugeColorMode\":\"None\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Metric\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":false,\"width\":2},\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":\"12\",\"labelColor\":false,\"subText\":\"\"},\"type\":\"simple\",\"useRange\":false,\"verticalSplit\":false},\"handleNoResults\":true,\"type\":\"gauge\"},\"title\":\"Device Metrics Overview [Logs CEF ArcSight]\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-d061c7a9-7f92-4bf4-b35c-499b9f4b987a",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json b/packages/cef/2.0.3/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json
new file mode 100755
index 0000000000..6cf6e86635
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-df056709-2deb-4363-ae7a-b0148ea456c6.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Destination Ports by Outcome [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Protocols\",\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocols\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcome [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-df056709-2deb-4363-ae7a-b0148ea456c6",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json b/packages/cef/2.0.3/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json
new file mode 100755
index 0000000000..20bdf88f92
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 20 Behaviors by Outcome [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Behavior\",\"field\":\"cef.extensions.categoryBehavior\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Top 20 Behaviors by Outcome [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-e06d85f2-2da4-41e2-b2ab-f685b64bb3f9",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-e6cf2383-71f4-4db1-a791-1a7d4f110194",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json b/packages/cef/2.0.3/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json
new file mode 100755
index 0000000000..cb732f40b3
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-e513c269-350c-40c3-ac20-16c5782103b8.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Device Types [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"background_color\":null,\"background_color_rules\":[{\"id\":\"2fddda5e-d6fc-4581-bbb7-574e1017ae8f\"}],\"bar_color_rules\":[{\"id\":\"23db5bf6-f787-474e-86ab-76362432e984\"}],\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceType:\\\"Firewall\\\" OR cef.extensions.categoryDeviceGroup:\\\"/IDS/Network\\\" OR cef.extensions.categoryDeviceGroup:\\\"/VPN\\\"\"},\"gauge_color_rules\":[{\"id\":\"3ed9a6b9-fd2e-4e0d-bd83-7ad467b3c8a4\"}],\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"gauge_width\":10,\"id\":\"ec53a1d3-213c-4b0f-a074-5005a84cdb83\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(211,49,21,1)\",\"fill\":\"0\",\"filter\":\"\",\"formatter\":\"number\",\"id\":\"04c44192-1112-4515-a8d9-e9e13215aecf\",\"label\":\"Events\",\"line_width\":\"3\",\"metrics\":[{\"id\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"c5dbb050-fc10-4a0d-abe0-bc093db6cf0e\",\"gamma\":0.3,\"id\":\"e5a48d9d-7834-4da7-8d78-7d4528136b9b\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"sigma\":\"\",\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"cef.extensions.categoryDeviceGroup:\\\"/Firewall\\\"\"},\"id\":\"78bfdf07-ec02-4dd8-8ff4-b7e250c561c2\",\"label\":\"Firewall\"}],\"split_mode\":\"everything\",\"stacked\":\"none\",\"steps\":0,\"terms_field\":\"observer.hostname\",\"terms_order_by\":null},{\"axis_position\":\"left\",\"chart_type\":\"bar\",\"color\":\"rgba(251,158,0,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"29d6131a-5143-4a64-b597-9538692f0269\",\"label\":\"Top Device Types by Mvg Averages\",\"line_width\":1,\"metrics\":[{\"id\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"type\":\"count\"},{\"alpha\":0.3,\"beta\":0.1,\"field\":\"dc74afdf-64ad-47d6-bbed-114e09d12255\",\"gamma\":0.3,\"id\":\"87e21aaa-12eb-4213-bb37-41cb19219240\",\"model_type\":\"simple\",\"multiplicative\":false,\"period\":1,\"type\":\"moving_average\",\"window\":\"10\"}],\"point_size\":1,\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.extensions.categoryDeviceType\",\"terms_size\":\"10\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Device Types [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-e513c269-350c-40c3-ac20-16c5782103b8",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json b/packages/cef/2.0.3/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json
new file mode 100755
index 0000000000..5387593733
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-e89a64e8-928c-41fc-8745-3c8157b21cdb.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Devices by Bandwidth [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Device\",\"field\":\"observer.hostname\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source(s)\",\"field\":\"source.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination(s)\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"6\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Bandwidth (Incoming)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Bandwidth (Outgoing)\",\"field\":\"destination.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 10 Devices by Bandwidth [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-e89a64e8-928c-41fc-8745-3c8157b21cdb",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json b/packages/cef/2.0.3/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json
new file mode 100755
index 0000000000..4c21032237
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 5 Sources by Destination Ports [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Event Count\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Source Address\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"2\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":true,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top 5 Sources by Destination Ports [Logs CEF ArcSight]\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-f03d734b-b85c-4e99-9c0e-9c89716a81f3",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json b/packages/cef/2.0.3/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json
new file mode 100755
index 0000000000..827c7905e2
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events Types by Severity [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"db54ebce-9dd2-4a1e-b476-b3ddb9a9024e\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":\"0\",\"formatter\":\"number\",\"id\":\"81da76ca-1112-4d91-82f4-c66cd3156a84\",\"label\":\"Cumulative Bytes\",\"line_width\":\"3\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"521d560c-321a-4410-9eb3-2b2bf3f4efee\",\"type\":\"count\"}],\"point_size\":\"0\",\"seperate_axis\":1,\"split_color_mode\":\"gradient\",\"split_filters\":[{\"color\":\"rgba(244,78,59,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\")\"},\"id\":\"3f31a7e4-acf3-4f2d-8b7d-e30522325b2a\",\"label\":\"HIGH\"},{\"color\":\"rgba(254,146,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\")\"},\"id\":\"7949d31b-8aae-433a-b7cf-6939a8728cc9\",\"label\":\"MEDIUM\"},{\"color\":\"rgba(252,220,0,1)\",\"filter\":{\"language\":\"lucene\",\"query\":\"(NOT (event.severity:\\\"2\\\" OR event.severity:\\\"3\\\" OR event.severity:\\\"5\\\" OR event.severity:\\\"16\\\" OR cef.extension.deviceCustomString4:\\\"SERVFAIL\\\" OR cef.extension.deviceCustomString4:\\\"NXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"REFUSED\\\" OR cef.extension.deviceCustomString4:\\\"BADVERS\\\" OR cef.extension.deviceCustomString4:\\\"BADSIG\\\" OR event.severity:\\\"1\\\" OR event.severity:\\\"4\\\" OR event.severity:\\\"6\\\" OR event.severity:\\\"7\\\" OR event.severity:\\\"8\\\" OR event.severity:\\\"9\\\" OR event.severity:\\\"10\\\" OR event.severity:\\\"17\\\" OR event.severity:\\\"18\\\" OR event.severity:\\\"19\\\" OR event.severity:\\\"20\\\" OR event.severity:\\\"21\\\" OR event.severity:\\\"22\\\" OR cef.extension.deviceCustomString4:\\\"Error\\\" OR cef.extension.deviceCustomString4:\\\"ERROR\\\" OR cef.extension.deviceCustomString4:\\\"Warning\\\" OR cef.extension.deviceCustomString4:\\\"WARNING\\\" OR cef.extension.deviceCustomString4:\\\"FORMERR\\\" OR cef.extension.deviceCustomString4:\\\"NOTIMP\\\" OR cef.extension.deviceCustomString4:\\\"YXDOMAIN\\\" OR cef.extension.deviceCustomString4:\\\"YXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NXRRSET\\\" OR cef.extension.deviceCustomString4:\\\"NOTAUTH\\\" OR cef.extension.deviceCustomString4:\\\"NOTZONE\\\" OR cef.extension.deviceCustomString4:\\\"BADKEY\\\" OR cef.extension.deviceCustomString4:\\\"BADTIME\\\" OR cef.extension.deviceCustomString4:\\\"BADMODE\\\" OR cef.extension.deviceCustomString4:\\\"BADNAME\\\" OR cef.extension.deviceCustomString4:\\\"BADALG\\\" OR cef.extension.deviceCustomString4:\\\"BADTRUNC\\\"))\"},\"id\":\"d2627211-5f9e-4c65-8a47-1cd6f085939d\",\"label\":\"LOW\"}],\"split_mode\":\"filters\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"bar\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"a5fda184-fdd6-4221-ab59-492eab162f0a\",\"label\":\"Count by Event Type\",\"line_width\":1,\"metrics\":[{\"id\":\"e147ba1c-b13a-496f-9841-b99ddee81c5a\",\"type\":\"count\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"terms\",\"stacked\":\"none\",\"terms_field\":\"cef.device.event_class_id\",\"terms_size\":\"20\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events Types by Severity [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-f0e60404-ddf4-4b46-8e45-e28c4fb6d60d",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json b/packages/cef/2.0.3/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json
new file mode 100755
index 0000000000..5b23c7fb8e
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0.json
@@ -0,0 +1,19 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "title": "Events by Size [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"listeners\":{},\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"drop_last_bucket\":1,\"filter\":{\"language\":\"lucene\",\"query\":\"cef.device.product:\\\"DNS Trace Log\\\"\"},\"id\":\"6e634117-6b30-411c-b74c-75510befe42f\",\"index_pattern\":\"logs-*\",\"interval\":\"auto\",\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(0,156,224,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"0\\\"\"},\"formatter\":\"bytes\",\"id\":\"28b1fb5b-0f16-4519-b901-4dd2dcc39915\",\"label\":\"Inbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"f613f33f-6459-4e46-a3a0-c36c48c46b2e\",\"type\":\"sum\"}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"},{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"rgba(244,78,59,1)\",\"fill\":0.5,\"filter\":{\"language\":\"lucene\",\"query\":\"deviceDirection:\\\"1\\\"\"},\"formatter\":\"bytes\",\"id\":\"5a5c2529-4990-4006-b039-c94069ff6b7e\",\"label\":\"Outbound Bytes\",\"line_width\":\"2\",\"metrics\":[{\"field\":\"source.bytes\",\"id\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"type\":\"sum\"},{\"id\":\"0aaab374-5845-44ab-94f5-ac4fab25c287\",\"script\":\"params.outbound_bytes \\u003e= 0 ? params.outbound_bytes * -1 : 0\",\"type\":\"calculation\",\"variables\":[{\"field\":\"b69501e7-56d5-4c38-81d1-34d778c81e11\",\"id\":\"23b8c41c-0e98-4ace-8bca-3593e46cd955\",\"name\":\"outbound_bytes\"}]}],\"point_size\":1,\"seperate_axis\":0,\"split_color_mode\":\"gradient\",\"split_mode\":\"filter\",\"stacked\":\"none\"}],\"show_legend\":1,\"time_field\":\"@timestamp\",\"type\":\"timeseries\",\"use_kibana_indexes\":false},\"title\":\"Events by Size [Logs CEF ArcSight]\",\"type\":\"metrics\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-f3c573ad-2c16-4de5-9ec3-0a47141d4fa0",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json b/packages/cef/2.0.3/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json
new file mode 100755
index 0000000000..aed8102339
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-f5258de9-71f7-410f-b713-201007f77470.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Application Protocols [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.application\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"maxFontSize\":72,\"minFontSize\":26,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"square root\"},\"title\":\"Top 10 Application Protocols [Logs CEF ArcSight]\",\"type\":\"tagcloud\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-f5258de9-71f7-410f-b713-201007f77470",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json b/packages/cef/2.0.3/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json
new file mode 100755
index 0000000000..74a61138dc
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-f57734dd-0f32-42b4-94dd-5d597f6735e1.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Device Types by Vendor [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"exclude\":\"Network-based IDS/IPS\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"exclude\":\"\",\"field\":\"cef.device.vendor\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":false,\"legendPosition\":\"right\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"}},\"title\":\"Device Types by Vendor [Logs CEF ArcSight]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-f57734dd-0f32-42b4-94dd-5d597f6735e1",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json b/packages/cef/2.0.3/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json
new file mode 100755
index 0000000000..32a6dda32a
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-fa8b26c1-6973-4381-adb3-bcde0d03a520.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Unique Destinations and Ports by Source [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Destination Addresses\",\"field\":\"destination.ip\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source Addresses\",\"field\":\"source.ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination Ports\",\"field\":\"destination.port\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source Addresses\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Destination Addresses\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Destination Ports\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Addresses\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Ports\"},\"type\":\"value\"}]},\"title\":\"Unique Destinations and Ports by Source [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-fa8b26c1-6973-4381-adb3-bcde0d03a520",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json b/packages/cef/2.0.3/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json
new file mode 100755
index 0000000000..cce501f750
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-fcf798a8-db8f-4492-827b-8fa7581108a9.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Event Types by Size [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"Count\":\"#64B0C8\",\"Total (Bytes)\":\"#E24D42\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Event Type\",\"field\":\"cef.device.event_class_id\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total (Bytes)\",\"field\":\"source.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Event Type\"},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"3\",\"label\":\"Total (Bytes)\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":3,\"mode\":\"normal\",\"show\":true,\"showCircles\":false,\"type\":\"line\",\"valueAxis\":\"ValueAxis-2\"}],\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"},{\"id\":\"ValueAxis-2\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"RightAxis-1\",\"position\":\"right\",\"scale\":{\"mode\":\"normal\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total (Bytes)\"},\"type\":\"value\"}]},\"title\":\"Event Types by Size [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-fcf798a8-db8f-4492-827b-8fa7581108a9",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-f85a3444-8a43-4e46-b872-4e44bc25d0f3",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json b/packages/cef/2.0.3/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json
new file mode 100755
index 0000000000..0907dbbef8
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Destination Ports by Outcomes [Logs CEF ArcSight]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"destination.port\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination.port: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"defaultYExtents\":true,\"mode\":\"normal\",\"setYExtents\":false,\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Destination Ports by Outcomes [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-fe7b63d1-dbc7-4376-af7f-ace97a9f2e60",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-5cede2d3-20fe-4140-add4-4c4f841b71a2",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json b/packages/cef/2.0.3/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json
new file mode 100755
index 0000000000..df5b0a6e9f
--- /dev/null
+++ b/packages/cef/2.0.3/kibana/visualization/cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Outcome by Device Type [Logs CEF ArcSight]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"/Failure\":\"#BF1B00\",\"/Success\":\"#629E51\"}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Firewall Types\",\"field\":\"cef.extensions.categoryDeviceType\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Event Outcome\",\"field\":\"cef.extensions.categoryOutcome\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":3},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Firewall Types\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":true,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"percentage\",\"type\":\"square root\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"value\"}]},\"title\":\"Outcome by Device Type [Logs CEF ArcSight]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "8.0.0",
+ "id": "cef-fff249b2-18b6-4b48-bcf7-dd4595d111e7",
+ "migrationVersion": {
+ "visualization": "8.0.0"
+ },
+ "references": [
+ {
+ "id": "cef-68202a5c-c8f2-432f-8c08-04fbfacb95c8",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cef/2.0.3/manifest.yml b/packages/cef/2.0.3/manifest.yml
new file mode 100755
index 0000000000..5bcae7fa17
--- /dev/null
+++ b/packages/cef/2.0.3/manifest.yml
@@ -0,0 +1,26 @@
+name: cef
+title: CEF Logs
+version: "2.0.3"
+release: ga
+description: Collect logs from CEF Logs with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories:
+ - network
+ - security
+conditions:
+ kibana.version: ^8.0.0
+policy_templates:
+ - name: cef
+ title: CEF logs
+ description: Collect logs from CEF instances
+ inputs:
+ - type: logfile
+ title: "Collect CEF application logs (input: logfile)"
+ description: "Collecting application logs from CEF instances (input: logfile)"
+ - type: udp
+ title: "Collect CEF application logs (input: udp)"
+ description: "Collecting application logs from CEF instances (input: udp)"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/checkpoint/1.5.1/changelog.yml b/packages/checkpoint/1.5.1/changelog.yml
new file mode 100755
index 0000000000..8c46c1e29a
--- /dev/null
+++ b/packages/checkpoint/1.5.1/changelog.yml
@@ -0,0 +1,126 @@
+# newer versions go on top
+- version: "1.5.1"
+ changes:
+ - description: Update Checkpoint logo.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1
+- version: "1.5.0"
+ changes:
+ - description: Add TLS and custom options support to TCP input.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3317
+- version: "1.4.0"
+ changes:
+ - description: Update to ECS 8.2 to use new email field set.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2803
+- version: "1.3.6"
+ changes:
+ - description: Fixed parsing error when logs have trailing spaces
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3035
+- version: "1.3.5"
+ changes:
+ - description: Added link to check point documentation.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2926
+- version: "1.3.4"
+ changes:
+ - description: Change mapping type of checkpoint.source_object to keyword from integer.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2951
+- version: "1.3.3"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.3.2"
+ changes:
+ - description: Fix field mapping conflicts for `checkpoint.icmp_type`, `checkpoint.icmp_code` & `checkpoint.email_recipients_num`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2895
+- version: "1.3.1"
+ changes:
+ - description: Add Ingest Pipeline script to map IANA Protocol Numbers
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2470
+- version: "1.3.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2387
+- version: "1.2.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2231
+- version: "1.1.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1951
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1803
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1653
+- version: "1.0.0"
+ changes:
+ - description: make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1605
+- version: "0.8.2"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1470
+- version: '0.8.1'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1376
+- version: "0.8.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.7.0"
+ changes:
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1256
+- version: "0.6.0"
+ changes:
+ - description: update to ECS 1.10.0 and syncing module changes
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1033
+- version: "0.5.2"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/839
+- version: "0.5.1"
+ changes:
+ - description: Change kibana.version constraint to be more conservative.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/749
+- version: "0.1.0"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/220
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/log.yml.hbs b/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/log.yml.hbs
new file mode 100755
index 0000000000..24ecbba6d7
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/log.yml.hbs
@@ -0,0 +1,38 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ internal_zones:
+ {{#each internal_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ external_zones:
+ {{#each external_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..cc8e682ac4
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/tcp.yml.hbs
@@ -0,0 +1,40 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ internal_zones:
+ {{#each internal_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ external_zones:
+ {{#each external_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if tcp_options.length}}
+{{tcp_options}}
+{{/if}}
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..79ed0fc89d
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/agent/stream/udp.yml.hbs
@@ -0,0 +1,34 @@
+host: "{{syslog_host}}:{{syslog_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if internal_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ internal_zones:
+ {{#each internal_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
+{{#if external_zones.length}}
+- add_fields:
+ target: _temp_
+ fields:
+ external_zones:
+ {{#each external_zones as |zone i|}}
+ - {{zone}}
+ {{/each}}
+{{/if}}
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/checkpoint/1.5.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..6de6cf8bbd
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,835 @@
+---
+description: Pipeline for parsing checkpoint firewall logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ field: event.original
+ patterns:
+ - '%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-)
+ +(?:%{IPORHOST:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app})
+ +(-|%{SYSLOG5424PRINTASCII:syslog5424_proc}) +(?::-|%{SYSLOG5424PRINTASCII:syslog5424_msgid})
+ +\[%{GREEDYDATA:syslog5424_sd}\]'
+ - kv:
+ field: syslog5424_sd
+ field_split: "; "
+ value_split: ":"
+ trim_key: " "
+ trim_value: " "
+ prefix: checkpoint.
+ strip_brackets: true
+ ignore_failure: true
+ exclude_keys:
+ - flags
+ - layer_uuid
+ - originsicname
+ - __policy_id_tag
+ - version
+ - rounded_bytes
+ - db_tag
+ - update_service
+ - remove:
+ field:
+ - syslog5424_sd
+ - syslog5424_app
+ - syslog5424_host
+ - syslog5424_msgid
+ - syslog5424_pri
+ - syslog5424_proc
+ - syslog5424_ver
+ - host
+ ignore_missing: true
+ - rename:
+ field: "@timestamp"
+ target_field: "event.created"
+ ignore_missing: true
+ - date:
+ field: "syslog5424_ts"
+ formats: ["ISO8601", "UNIX"]
+ if: "ctx.checkpoint?.time == null"
+ - append:
+ field: event.category
+ value: network
+ if: ctx.checkpoint?.operation != 'Log In'
+ - set:
+ field: observer.vendor
+ value: Checkpoint
+ - set:
+ field: observer.type
+ value: firewall
+ if: ctx.checkpoint?.type == null
+ - set:
+ field: observer.product
+ value: "{{checkpoint.product}}"
+ ignore_empty_value: true
+ - rename:
+ field: checkpoint.src
+ target_field: source.ip
+ ignore_missing: true
+ - rename:
+ field: checkpoint.client_ip
+ target_field: source.ip
+ ignore_missing: true
+ if: ctx.source?.ip == null
+ - rename:
+ field: checkpoint.xlatesrc
+ target_field: source.nat.ip
+ if: "ctx.checkpoint?.xlatesrc != '0.0.0.0'"
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dst
+ target_field: destination.ip
+ ignore_missing: true
+ - rename:
+ field: checkpoint.xlatedst
+ target_field: destination.nat.ip
+ if: "ctx.checkpoint?.xlatedst != '0.0.0.0'"
+ ignore_missing: true
+ - rename:
+ field: checkpoint.uid
+ target_field: source.user.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.administrator
+ target_field: source.user.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.source_user_name
+ target_field: source.user.name
+ if: ctx.source?.user?.name == null
+ ignore_missing: true
+ - convert:
+ field: checkpoint.client_outbound_packets
+ target_field: source.packets
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.server_outbound_packets
+ target_field: destination.packets
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.client_outbound_bytes
+ target_field: source.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.sent_byte
+ target_field: source.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: ctx.source?.bytes == null
+ - convert:
+ field: checkpoint.server_outbound_bytes
+ target_field: destination.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.received_bytes
+ target_field: destination.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: ctx.destination?.bytes == null
+ - convert:
+ field: checkpoint.service
+ target_field: destination.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.xlatedport
+ target_field: destination.nat.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: "ctx.checkpoint?.xlatedport != '0'"
+ - convert:
+ field: checkpoint.s_port
+ target_field: source.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.xlatesport
+ target_field: source.nat.port
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ if: "ctx.checkpoint?.xlatesport != '0'"
+ - rename:
+ field: checkpoint.mac_source_address
+ target_field: source.mac
+ ignore_missing: true
+ - rename:
+ field: checkpoint.src_machine_name
+ target_field: source.domain
+ ignore_missing: true
+ - rename:
+ field: checkpoint.destination_dns_hostname
+ target_field: destination.domain
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dst_machine_name
+ target_field: destination.domain
+ if: ctx.server?.domain == null
+ ignore_missing: true
+ - rename:
+ field: checkpoint.src_user_group
+ target_field: source.user.group.name
+ ignore_missing: true
+ - append:
+ field: event.category
+ value: authentication
+ if: ctx.checkpoint?.operation == 'Log In'
+ - set:
+ field: event.kind
+ value: alert
+ if: "['Prevent', 'Detect', 'Quarantine'].contains(ctx.checkpoint?.rule_action)"
+ - set:
+ field: event.kind
+ value: event
+ if: ctx.event?.kind == null
+ - set:
+ field: event.outcome
+ value: success
+ if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: event.type
+ value:
+ - allowed
+ - connection
+ if: "['Accept', 'Allow'].contains(ctx.checkpoint?.rule_action)"
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx.checkpoint?.audit_status == 'Success'
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx.checkpoint?.audit_status == 'Failure'
+ - set:
+ field: event.outcome
+ value: success
+ if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: event.type
+ value:
+ - connection
+ - denied
+ if: "['Drop', 'Reject', 'Block', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: event.category
+ value: malware
+ if: ctx.checkpoint?.malware_action != null
+ - append:
+ field: event.category
+ value: intrusion_detection
+ if: "['Detect', 'Prevent'].contains(ctx.checkpoint?.rule_action)"
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ if: ctx.source?.ip != null
+ - append:
+ field: related.ip
+ value: "{{source.nat.ip}}"
+ if: ctx.source?.nat?.ip != null
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ if: ctx.destination?.ip != null
+ - append:
+ field: related.ip
+ value: "{{destination.nat.ip}}"
+ if: ctx.destination?.nat?.ip != null
+ - append:
+ field: related.hash
+ value: "{{checkpoint.file_md5}}"
+ if: ctx.checkpoint?.file_md5 != null
+ - append:
+ field: related.hash
+ value: "{{checkpoint.file_sha1}}"
+ if: ctx.checkpoint?.file_sha1 != null
+ - append:
+ field: related.hash
+ value: "{{checkpoint.file_sha256}}"
+ if: ctx.checkpoint?.file_sha256 != null
+ - rename:
+ field: checkpoint.from
+ target_field: source.user.email
+ ignore_missing: true
+ - rename:
+ field: checkpoint.to
+ target_field: destination.user.email
+ ignore_missing: true
+ - set:
+ field: email.from.address
+ value: ["{{{destination.user.email}}}"]
+ if: "ctx?.destination?.user?.email != null"
+ - set:
+ field: email.to.address
+ value: ["{{{destination.user.email}}}"]
+ if: "ctx?.destination?.user?.email != null"
+ - append:
+ field: email.from.address
+ value: "{{{checkpoint.mime_from}}}"
+ if: "ctx?.checkpoint?.mime_from != null"
+ - append:
+ field: email.to.address
+ value: "{{{checkpoint.mime_to}}}"
+ if: "ctx?.checkpoint?.mime_to != null"
+ - set:
+ field: email.subject
+ copy_from: checkpoint.email_subject
+ if: "ctx?.checkpoint?.email_subject != null"
+ - append:
+ field: email.bcc.address
+ value: "{{{checkpoint.bcc}}}"
+ if: "ctx?.checkpoint?.bcc != null"
+ - append:
+ field: email.cc.address
+ value: "{{{checkpoint.cc}}}"
+ if: "ctx?.checkpoint?.cc != null"
+ - set:
+ field: email.delivery_timestamp
+ copy_from: checkpoint.delivery_time
+ if: "ctx?.checkpoint?.delivery_time != null"
+ - set:
+ field: email.message_id
+ copy_from: checkpoint.email_message_id
+ if: "ctx?.checkpoint?.email_message_id != null"
+ - set:
+ field: email.local_id
+ copy_from: checkpoint.email_queue_id
+ if: "ctx?.checkpoint?.email_queue_id != null"
+ - rename:
+ field: checkpoint.usercheck_incident_uid
+ target_field: destination.user.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.service_name
+ target_field: destination.service.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.mac_destination_address
+ target_field: destination.mac
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dns_type
+ target_field: dns.question.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.domain_name
+ target_field: dns.question.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dns_message_type
+ target_field: dns.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.tid
+ target_field: dns.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.loguid
+ target_field: event.id
+ ignore_missing: true
+ - convert:
+ field: checkpoint.sequencenum
+ target_field: event.sequence
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: checkpoint.severity
+ target_field: event.severity
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - rename:
+ field: checkpoint.action
+ target_field: event.action
+ ignore_missing: true
+ - rename:
+ field: checkpoint.packet_capture
+ target_field: event.url
+ ignore_missing: true
+ - rename:
+ field: checkpoint.start_time
+ target_field: event.start
+ ignore_missing: true
+ - rename:
+ field: checkpoint.first_detection
+ target_field: event.start
+ ignore_missing: true
+ if: ctx.event?.start == null
+ - rename:
+ field: checkpoint.last_detection
+ target_field: event.end
+ ignore_missing: true
+ - rename:
+ field: checkpoint.app_risk
+ target_field: event.risk_score
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_id
+ target_field: file.inode
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_type
+ target_field: file.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_name
+ target_field: file.name
+ ignore_missing: true
+ - convert:
+ field: checkpoint.file_size
+ target_field: file.size
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_md5
+ target_field: file.hash.md5
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_sha1
+ target_field: file.hash.sha1
+ ignore_missing: true
+ - rename:
+ field: checkpoint.file_sha256
+ target_field: file.hash.sha256
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dlp_file_name
+ target_field: file.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.user_group
+ target_field: group.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.os_version
+ target_field: host.os.version
+ ignore_missing: true
+ - rename:
+ field: checkpoint.os_name
+ target_field: host.os.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.method
+ target_field: http.request.method
+ ignore_missing: true
+ - rename:
+ field: checkpoint.referrer
+ target_field: http.request.referrer
+ ignore_missing: true
+ - rename:
+ field: checkpoint.service_id
+ target_field: network.application
+ ignore_missing: true
+ - rename:
+ field: checkpoint.ifdir
+ target_field: network.direction
+ ignore_missing: true
+ - rename:
+ field: checkpoint.bytes
+ target_field: network.bytes
+ ignore_missing: true
+ - rename:
+ field: checkpoint.proto
+ target_field: network.iana_number
+ ignore_missing: true
+ - script:
+ lang: painless
+ ignore_failure: true
+ if: ctx?.network?.iana_number != null
+ source: |
+ def iana_number = ctx.network.iana_number;
+ if (iana_number == '0') {
+ ctx.network.transport = 'hopopt';
+ } else if (iana_number == '1') {
+ ctx.network.transport = 'icmp';
+ } else if (iana_number == '2') {
+ ctx.network.transport = 'igmp';
+ } else if (iana_number == '6') {
+ ctx.network.transport = 'tcp';
+ } else if (iana_number == '8') {
+ ctx.network.transport = 'egp';
+ } else if (iana_number == '17') {
+ ctx.network.transport = 'udp';
+ } else if (iana_number == '47') {
+ ctx.network.transport = 'gre';
+ } else if (iana_number == '50') {
+ ctx.network.transport = 'esp';
+ } else if (iana_number == '58') {
+ ctx.network.transport = 'ipv6-icmp';
+ } else if (iana_number == '112') {
+ ctx.network.transport = 'vrrp';
+ } else if (iana_number == '132') {
+ ctx.network.transport = 'sctp';
+ }
+ - rename:
+ field: checkpoint.packets
+ target_field: network.packets
+ ignore_missing: true
+ - rename:
+ field: checkpoint.layer_name
+ target_field: network.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.app_name
+ target_field: network.application
+ ignore_missing: true
+ - rename:
+ field: checkpoint.client_inbound_interface
+ target_field: observer.ingress.interface.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.client_outbound_interface
+ target_field: observer.egress.interface.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.ifname
+ target_field: observer.ingress.interface.name
+ ignore_missing: true
+ if: ctx.network?.direction == 'inbound'
+ - rename:
+ field: checkpoint.ifname
+ target_field: observer.egress.interface.name
+ ignore_missing: true
+ if: ctx.network?.direction == 'outbound'
+ - rename:
+ field: checkpoint.type
+ target_field: observer.type
+ ignore_missing: true
+ - rename:
+ field: checkpoint.origin
+ target_field: observer.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.origin_ip
+ target_field: observer.ip
+ ignore_missing: true
+ - rename:
+ field: checkpoint.endpoint_ip
+ target_field: observer.ip
+ ignore_missing: true
+ if: ctx.observer?.ip == null
+ - rename:
+ field: checkpoint.outzone
+ target_field: observer.egress.zone
+ ignore_missing: true
+ - rename:
+ field: checkpoint.inzone
+ target_field: observer.ingress.zone
+ ignore_missing: true
+ - rename:
+ field: checkpoint.security_outzone
+ target_field: observer.egress.zone
+ ignore_missing: true
+ if: ctx.observer?.egress?.zone == null
+ - rename:
+ field: checkpoint.security_inzone
+ target_field: observer.ingress.zone
+ ignore_missing: true
+ if: ctx.observer?.ingress?.zone == null
+ - rename:
+ field: checkpoint.update_version
+ target_field: observer.version
+ ignore_missing: true
+ - rename:
+ field: checkpoint.process_md5
+ target_field: process.hash.md5
+ ignore_missing: true
+ - rename:
+ field: checkpoint.process_name
+ target_field: process.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.parent_process_md5
+ target_field: process.parent.hash.md5
+ ignore_missing: true
+ - rename:
+ field: checkpoint.parent_process_name
+ target_field: process.parent.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.matched_category
+ target_field: rule.category
+ ignore_missing: true
+ - rename:
+ field: checkpoint.categories
+ target_field: rule.category
+ ignore_missing: true
+ if: ctx.rule?.category == null
+ - rename:
+ field: checkpoint.malware_action
+ target_field: rule.description
+ ignore_missing: true
+ - rename:
+ field: checkpoint.malware_rule_id
+ target_field: rule.id
+ ignore_missing: true
+ - rename:
+ field: checkpoint.app_rule_id
+ target_field: rule.id
+ ignore_missing: true
+ if: ctx.rule?.id == null
+ - rename:
+ field: checkpoint.objectname
+ target_field: rule.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.malware_rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.app_rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.dlp_rule_name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.rule?.name == null
+ - rename:
+ field: checkpoint.smartdefence_profile
+ target_field: rule.ruleset
+ ignore_missing: true
+ - rename:
+ field: checkpoint.policy
+ target_field: rule.ruleset
+ ignore_missing: true
+ if: ctx.rule?.ruleset == null
+ - rename:
+ field: checkpoint.rule_uid
+ target_field: rule.uuid
+ ignore_missing: true
+ - rename:
+ field: checkpoint.dlp_rule_uid
+ target_field: rule.uuid
+ ignore_missing: true
+ if: ctx.rule?.uuid == null
+ - rename:
+ field: checkpoint.url
+ target_field: url.original
+ ignore_missing: true
+ - rename:
+ field: checkpoint.resource
+ target_field: url.original
+ ignore_missing: true
+ if: ctx.url?.original == null
+ - rename:
+ field: checkpoint.http_host
+ target_field: url.domain
+ ignore_missing: true
+ - rename:
+ field: checkpoint.web_client_type
+ target_field: user_agent.name
+ ignore_missing: true
+ - rename:
+ field: checkpoint.user_agent
+ target_field: user_agent.original
+ ignore_missing: true
+ - rename:
+ field: checkpoint.industry_reference
+ target_field: vulnerability.id
+ ignore_missing: true
+ - date:
+ field: "checkpoint.time"
+ formats: ["ISO8601", "UNIX"]
+ if: "ctx.checkpoint?.time != null"
+ - rename:
+ field: checkpoint.message
+ target_field: message
+ ignore_missing: true
+ - rename:
+ field: checkpoint.reason
+ target_field: message
+ ignore_missing: true
+ if: ctx.message == null
+ - rename:
+ field: checkpoint.subject
+ target_field: message
+ ignore_missing: true
+ if: ctx.message == null
+ - gsub:
+ field: checkpoint.sys_message
+ pattern: ^:"
+ replacement: ""
+ if: ctx.checkpoint?.sys_message != null
+ - append:
+ field: related.user
+ value: "{{source.user.name}}"
+ if: ctx.source?.user?.name != null
+ - append:
+ field: related.user
+ value: "{{destination.user.name}}"
+ if: ctx.destination?.user?.name != null
+ - script:
+ lang: painless
+ source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes"
+ if: ctx?.source?.bytes != null && ctx?.destination?.bytes != null && ctx?.network?.bytes == null
+ ignore_failure: true
+ - script:
+ lang: painless
+ source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets"
+ if: ctx?.source?.packets != null && ctx?.destination?.packets != null && ctx?.network?.packets == null
+ ignore_failure: true
+ - rename:
+ field: checkpoint.action_reason
+ target_field: checkpoint.action_reason_msg
+ if: ctx.checkpoint?.action_reason != null && ctx.checkpoint?.action_reason.contains(" ")
+ ignore_missing: true
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ if: ctx.source?.geo == null
+ - geoip:
+ field: destination.ip
+ target_field: destination.geo
+ ignore_missing: true
+ if: ctx.destination?.geo == null
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ # Handle zone-based network directionality
+ - set:
+ field: network.direction
+ value: inbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ - set:
+ field: network.direction
+ value: outbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: internal
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: external
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: unknown
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ (
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ ) ||
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ )
+ )
+ - remove:
+ field:
+ - checkpoint.client_outbound_packets
+ - checkpoint.server_outbound_packets
+ - checkpoint.client_outbound_bytes
+ - checkpoint.sent_byte
+ - checkpoint.server_outbound_bytes
+ - checkpoint.received_bytes
+ - checkpoint.service
+ - checkpoint.xlatedport
+ - checkpoint.s_port
+ - checkpoint.xlatesport
+ - checkpoint.sequencenum
+ - checkpoint.file_size
+ - checkpoint.product
+ - checkpoint.severity
+ - checkpoint.xlatesrc
+ - checkpoint.xlatedst
+ - checkpoint.uid
+ - checkpoint.time
+ - syslog5424_ts
+ - _temp_
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/fields/agent.yml b/packages/checkpoint/1.5.1/data_stream/firewall/fields/agent.yml
new file mode 100755
index 0000000000..79a7a39864
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/fields/agent.yml
@@ -0,0 +1,180 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on."
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: "The cloud account or organization id used to identify different entities in a multi-tenant environment.\nExamples: AWS account id, Google Cloud ORG Id, or other unique identifier."
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime."
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes."
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider."
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine."
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`."
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use."
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment."
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/fields/base-fields.yml b/packages/checkpoint/1.5.1/data_stream/firewall/fields/base-fields.yml
new file mode 100755
index 0000000000..6bdf832a14
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: checkpoint
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: checkpoint.firewall
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/fields/beats.yml b/packages/checkpoint/1.5.1/data_stream/firewall/fields/beats.yml
new file mode 100755
index 0000000000..e272492dea
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/fields/beats.yml
@@ -0,0 +1,15 @@
+- description: Type of Filebeat input.
+ name: input.type
+ type: keyword
+- description: Flags for the log file.
+ name: log.flags
+ type: keyword
+- description: Offset of the entry in the log file.
+ name: log.offset
+ type: long
+- description: Name of the service data is collected from.
+ name: destination.service.name
+ type: keyword
+- description: Source address of logs received over the network.
+ name: log.source.address
+ type: keyword
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/fields/ecs.yml b/packages/checkpoint/1.5.1/data_stream/firewall/fields/ecs.yml
new file mode 100755
index 0000000000..506553ea2c
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/fields/ecs.yml
@@ -0,0 +1,522 @@
+- description: Unique container id.
+ name: container.id
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: Bytes sent from the destination to the source.
+ name: destination.bytes
+ type: long
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: destination.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ MAC address of the destination.
+ The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+ name: destination.mac
+ type: keyword
+- description: |-
+ Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.ip
+ type: ip
+- description: |-
+ Port the source session is translated to by NAT Device.
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.port
+ type: long
+- description: Packets sent from the destination to the source.
+ name: destination.packets
+ type: long
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: User email address.
+ name: destination.user.email
+ type: keyword
+- description: Unique identifier of the user.
+ name: destination.user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.user.name
+ type: keyword
+- description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
+ name: dns.id
+ type: keyword
+- description: |-
+ The name being queried.
+ If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+ name: dns.question.name
+ type: keyword
+- description: The type of record being queried.
+ name: dns.question.type
+ type: keyword
+- description: |-
+ The type of DNS event captured, query or answer.
+ If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
+ If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
+ name: dns.type
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: The date and time when the email message was received by the service or client.
+ name: email.delivery_timestamp
+ type: date
+- description: The email address of the sender, typically from the RFC 5322 `From:` header field.
+ name: email.from.address
+ type: keyword
+- description: The email address of recipient
+ name: email.to.address
+ type: keyword
+- description: The email address of BCC recipient
+ name: email.bcc.address
+ type: keyword
+- description: The email address of CC recipient
+ name: email.cc.address
+ type: keyword
+- description: A brief summary of the topic of the message.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: email.subject
+ type: keyword
+- description: Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message.
+ name: email.message_id
+ type: wildcard
+- description: |-
+ Unique identifier given to the email by the source that created the event.
+ Identifier is not persistent across hops.
+ name: email.local_id
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
+ name: event.risk_score
+ type: float
+- description: |-
+ Sequence number of the event.
+ The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision.
+ name: event.sequence
+ type: long
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+ Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+ name: event.timezone
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ URL linking to an external system to continue investigation of this event.
+ This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.
+ name: event.url
+ type: keyword
+- description: MD5 hash.
+ name: file.hash.md5
+ type: keyword
+- description: SHA1 hash.
+ name: file.hash.sha1
+ type: keyword
+- description: SHA256 hash.
+ name: file.hash.sha256
+ type: keyword
+- description: Inode representing the file in the filesystem.
+ name: file.inode
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: file.name
+ type: keyword
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: file.size
+ type: long
+- description: File type (file, dir, or symlink).
+ name: file.type
+ type: keyword
+- description: Name of the group.
+ name: group.name
+ type: keyword
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: host.os.name
+ type: keyword
+- description: Operating system version as a raw string.
+ name: host.os.version
+ type: keyword
+- description: |-
+ HTTP request method.
+ The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field.
+ name: http.request.method
+ type: keyword
+- description: Referrer for this HTTP request.
+ name: http.request.referrer
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+ For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+ The field value must be normalized to lowercase for querying.
+ name: network.application
+ type: keyword
+- description: |-
+ Total bytes transferred in both directions.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+ name: network.bytes
+ type: long
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: Name given by operators to sections of their network.
+ name: network.name
+ type: keyword
+- description: |-
+ Total packets transferred in both directions.
+ If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+ name: network.packets
+ type: long
+- description: Interface name as reported by the system.
+ name: observer.egress.interface.name
+ type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+ name: observer.egress.zone
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.ingress.interface.name
+ type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+ name: observer.ingress.zone
+ type: keyword
+- description: IP addresses of the observer.
+ name: observer.ip
+ type: ip
+- description: |-
+ Custom name of the observer.
+ This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+ If no custom name is needed, the field can be left empty.
+ name: observer.name
+ type: keyword
+- description: The product name of the observer.
+ name: observer.product
+ type: keyword
+- description: |-
+ The type of the observer the data is coming from.
+ There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+ name: observer.type
+ type: keyword
+- description: Vendor name of the observer.
+ name: observer.vendor
+ type: keyword
+- description: Observer version.
+ name: observer.version
+ type: keyword
+- description: MD5 hash.
+ name: process.hash.md5
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: MD5 hash.
+ name: process.parent.hash.md5
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.parent.name
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+ name: rule.category
+ type: keyword
+- description: The description of the rule generating the event.
+ name: rule.description
+ type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+ name: rule.id
+ type: keyword
+- description: The name of the rule or signature generating the event.
+ name: rule.name
+ type: keyword
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+ name: rule.ruleset
+ type: keyword
+- description: A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
+ name: rule.uuid
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: source.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ MAC address of the source.
+ The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
+ name: source.mac
+ type: keyword
+- description: |-
+ Translated ip of source based NAT sessions (e.g. internal client to internet)
+ Typically connections traversing load balancers, firewalls, or routers.
+ name: source.nat.ip
+ type: ip
+- description: |-
+ Translated port of source based NAT sessions. (e.g. internal client to internet)
+ Typically used with load balancers, firewalls, or routers.
+ name: source.nat.port
+ type: long
+- description: Packets sent from the source to the destination.
+ name: source.packets
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: User email address.
+ name: source.user.email
+ type: keyword
+- description: Name of the group.
+ name: source.user.group.name
+ type: keyword
+- description: Unique identifier of the user.
+ name: source.user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.user.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: url.domain
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: Name of the user agent.
+ name: user_agent.name
+ type: keyword
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+ name: vulnerability.id
+ type: keyword
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/fields/fields.yml b/packages/checkpoint/1.5.1/data_stream/firewall/fields/fields.yml
new file mode 100755
index 0000000000..a389420a0c
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/fields/fields.yml
@@ -0,0 +1,1626 @@
+- name: checkpoint
+ type: group
+ release: beta
+ fields:
+ - name: action_reason
+ type: integer
+ description: |
+ Connection drop reason.
+ - name: action_reason_msg
+ type: keyword
+ overwrite: true
+ description: |
+ Connection drop reason message.
+ - name: additional_info
+ type: keyword
+ description: |
+ ID of original file/mail which are sent by admin.
+ - name: additional_ip
+ type: keyword
+ description: |
+ DNS host name.
+ - name: additional_rdata
+ type: keyword
+ description: |
+ List of additional resource records.
+ - name: alert
+ type: keyword
+ description: |
+ Alert level of matched rule (for connection logs).
+ - name: allocated_ports
+ type: integer
+ description: |
+ Amount of allocated ports.
+ - name: analyzed_on
+ type: keyword
+ description: |
+ Check Point ThreatCloud / emulator name.
+ - name: answer_rdata
+ type: keyword
+ description: |
+ List of answer resource records to the questioned domains.
+ - name: anti_virus_type
+ type: keyword
+ description: |
+ Anti virus type.
+ - name: app_desc
+ type: keyword
+ description: |
+ Application description.
+ - name: app_id
+ type: integer
+ description: |
+ Application ID.
+ - name: app_package
+ type: keyword
+ description: |
+ Unique identifier of the application on the protected mobile device.
+ - name: app_properties
+ type: keyword
+ description: |
+ List of all found categories.
+ - name: app_repackaged
+ type: keyword
+ description: |
+ Indicates whether the original application was repackage not by the official developer.
+ - name: app_sid_id
+ type: keyword
+ description: |
+ Unique SHA identifier of a mobile application.
+ - name: app_sig_id
+ type: keyword
+ description: |
+ IOC indicator description.
+ - name: app_version
+ type: keyword
+ description: |
+ Version of the application downloaded on the protected mobile device.
+ - name: appi_name
+ type: keyword
+ description: |
+ Name of application downloaded on the protected mobile device.
+ - name: arrival_time
+ type: keyword
+ description: |
+ Email arrival timestamp.
+ - name: attachments_num
+ type: integer
+ description: |
+ Number of attachments in the mail.
+ - name: attack_status
+ type: keyword
+ description: |
+ In case of a malicious event on an endpoint computer, the status of the attack.
+ - name: audit_status
+ type: keyword
+ description: |
+ Audit Status. Can be Success or Failure.
+ - name: auth_method
+ type: keyword
+ description: |
+ Password authentication protocol used (PAP or EAP).
+ - name: authority_rdata
+ type: keyword
+ description: |
+ List of authoritative servers.
+ - name: authorization
+ type: keyword
+ description: |
+ Authorization HTTP header value.
+ - name: bcc
+ type: keyword
+ description: |
+ List of BCC addresses.
+ - name: blade_name
+ type: keyword
+ description: |
+ Blade name.
+ - name: broker_publisher
+ type: ip
+ description: |
+ IP address of the broker publisher who shared the session information.
+ - name: browse_time
+ type: keyword
+ description: |
+ Application session browse time.
+ - name: c_bytes
+ type: integer
+ description: |
+ Boolean value indicates whether bytes sent from the client side are used.
+ - name: calc_desc
+ type: keyword
+ description: |
+ Log description.
+ - name: capacity
+ type: integer
+ description: |
+ Capacity of the ports.
+ - name: capture_uuid
+ type: keyword
+ description: |
+ UUID generated for the capture. Used when enabling the capture when logging.
+ - name: cc
+ type: keyword
+ description: |
+ The Carbon Copy address of the email.
+ - name: certificate_resource
+ type: keyword
+ description: |
+ HTTPS resource Possible values: SNI or domain name (DN).
+ - name: certificate_validation
+ type: keyword
+ description: |
+ Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature.
+ - name: cgnet
+ type: keyword
+ description: |
+ Describes NAT allocation for specific subscriber.
+ - name: chunk_type
+ type: keyword
+ description: |
+ Chunck of the sctp stream.
+ - name: client_name
+ type: keyword
+ description: |
+ Client Application or Software Blade that detected the event.
+ - name: client_type
+ type: keyword
+ description: |
+ Endpoint Connect.
+ - name: client_type_os
+ type: keyword
+ description: |
+ Client OS detected in the HTTP request.
+ - name: client_version
+ type: keyword
+ description: |
+ Build version of SandBlast Agent client installed on the computer.
+ - name: cluster_info
+ type: keyword
+ description: |
+ Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party.
+ - name: comment
+ type: keyword
+ - name: community
+ type: keyword
+ description: |
+ Community name for the IPSec key and the use of the IKEv.
+ - name: confidence_level
+ type: integer
+ description: |
+ Confidence level determined by ThreatCloud.
+ - name: conn_direction
+ type: keyword
+ description: Connection direction
+ - name: connection_uid
+ type: keyword
+ description: |
+ Calculation of md5 of the IP and user name as UID.
+ - name: connectivity_level
+ type: keyword
+ description: |
+ Log for a new connection in wire mode.
+ - name: conns_amount
+ type: integer
+ description: |
+ Connections amount of aggregated log info.
+ - name: content_disposition
+ type: keyword
+ description: |
+ Indicates how the content is expected to be displayed inline in the browser.
+ - name: content_length
+ type: keyword
+ description: |
+ Indicates the size of the entity-body of the HTTP header.
+ - name: content_risk
+ type: integer
+ description: |
+ File risk.
+ - name: content_type
+ type: keyword
+ description: |
+ Mail content type. Possible values: application/msword, text/html, image/gif etc.
+ - name: context_num
+ type: integer
+ description: |
+ Serial number of the log for a specific connection.
+ - name: cookieI
+ type: keyword
+ description: |
+ Initiator cookie.
+ - name: cookieR
+ type: keyword
+ description: |
+ Responder cookie.
+ - name: cp_message
+ type: integer
+ description: |
+ Used to log a general message.
+ - name: cvpn_category
+ type: keyword
+ description: |
+ Mobile Access application type.
+ - name: cvpn_resource
+ type: keyword
+ description: |
+ Mobile Access application.
+ - name: data_type_name
+ type: keyword
+ description: |
+ Data type in rulebase that was matched.
+ - name: db_ver
+ type: keyword
+ description: Database version
+ - name: dce-rpc_interface_uuid
+ type: keyword
+ description: |
+ Log for new RPC state - UUID values
+ - name: delivery_time
+ type: keyword
+ description: |
+ Timestamp of when email was delivered (MTA finished handling the email.
+ - name: desc
+ type: keyword
+ description: |
+ Override application description.
+ - name: description
+ type: keyword
+ description: |
+ Additional explanation how the security gateway enforced the connection.
+ - name: destination_object
+ type: keyword
+ description: |
+ Matched object name on destination column.
+ - name: detected_on
+ type: keyword
+ description: |
+ System and applications version the file was emulated on.
+ - name: developer_certificate_name
+ type: keyword
+ description: |
+ Name of the developer's certificate that was used to sign the mobile application.
+ - name: diameter_app_ID
+ type: integer
+ description: |
+ The ID of diameter application.
+ - name: diameter_cmd_code
+ type: integer
+ description: |
+ Diameter not allowed application command id.
+ - name: diameter_msg_type
+ type: keyword
+ description: |
+ Diameter message type.
+ - name: dlp_action_reason
+ type: keyword
+ description: |
+ Action chosen reason.
+ - name: dlp_additional_action
+ type: keyword
+ description: |
+ Watermark/None.
+ - name: dlp_categories
+ type: keyword
+ description: |
+ Data type category.
+ - name: dlp_data_type_name
+ type: keyword
+ description: |
+ Matched data type.
+ - name: dlp_data_type_uid
+ type: keyword
+ description: |
+ Unique ID of the matched data type.
+ - name: dlp_fingerprint_files_number
+ type: integer
+ description: |
+ Number of successfully scanned files in repository.
+ - name: dlp_fingerprint_long_status
+ type: keyword
+ description: |
+ Scan status - long format.
+ - name: dlp_fingerprint_short_status
+ type: keyword
+ description: |
+ Scan status - short format.
+ - name: dlp_incident_uid
+ type: keyword
+ description: |
+ Unique ID of the matched rule.
+ - name: dlp_recipients
+ type: keyword
+ description: |
+ Mail recipients.
+ - name: dlp_related_incident_uid
+ type: keyword
+ description: |
+ Other ID related to this one.
+ - name: dlp_relevant_data_types
+ type: keyword
+ description: |
+ In case of Compound/Group: the inner data types that were matched.
+ - name: dlp_repository_directories_number
+ type: integer
+ description: |
+ Number of directories in repository.
+ - name: dlp_repository_files_number
+ type: integer
+ description: |
+ Number of files in repository.
+ - name: dlp_repository_id
+ type: keyword
+ description: |
+ ID of scanned repository.
+ - name: dlp_repository_not_scanned_directories_percentage
+ type: integer
+ description: |
+ Percentage of directories the Security Gateway was unable to read.
+ - name: dlp_repository_reached_directories_number
+ type: integer
+ description: |
+ Number of scanned directories in repository.
+ - name: dlp_repository_root_path
+ type: keyword
+ description: |
+ Repository path.
+ - name: dlp_repository_scan_progress
+ type: integer
+ description: |
+ Scan percentage.
+ - name: dlp_repository_scanned_directories_number
+ type: integer
+ description: |
+ Amount of directories scanned.
+ - name: dlp_repository_scanned_files_number
+ type: integer
+ description: |
+ Number of scanned files in repository.
+ - name: dlp_repository_scanned_total_size
+ type: integer
+ description: |
+ Size scanned.
+ - name: dlp_repository_skipped_files_number
+ type: integer
+ description: |
+ Skipped number of files because of configuration.
+ - name: dlp_repository_total_size
+ type: integer
+ description: |
+ Repository size.
+ - name: dlp_repository_unreachable_directories_number
+ type: integer
+ description: |
+ Number of directories the Security Gateway was unable to read.
+ - name: dlp_rule_name
+ type: keyword
+ description: |
+ Matched rule name.
+ - name: dlp_subject
+ type: keyword
+ description: |
+ Mail subject.
+ - name: dlp_template_score
+ type: keyword
+ description: |
+ Template data type match score.
+ - name: dlp_transint
+ type: keyword
+ description: |
+ HTTP/SMTP/FTP.
+ - name: dlp_violation_description
+ type: keyword
+ description: |
+ Violation descriptions described in the rulebase.
+ - name: dlp_watermark_profile
+ type: keyword
+ description: |
+ Watermark which was applied.
+ - name: dlp_word_list
+ type: keyword
+ description: |
+ Phrases matched by data type.
+ - name: dns_query
+ type: keyword
+ description: |
+ DNS query.
+ - name: drop_reason
+ type: keyword
+ description: |
+ Drop reason description.
+ - name: dropped_file_hash
+ type: keyword
+ description: |
+ List of file hashes dropped from the original file.
+ - name: dropped_file_name
+ type: keyword
+ description: |
+ List of names dropped from the original file.
+ - name: dropped_file_type
+ type: keyword
+ description: |
+ List of file types dropped from the original file.
+ - name: dropped_file_verdict
+ type: keyword
+ description: |
+ List of file verdics dropped from the original file.
+ - name: dropped_incoming
+ type: integer
+ description: |
+ Number of incoming bytes dropped when using UP-limit feature.
+ - name: dropped_outgoing
+ type: integer
+ description: |
+ Number of outgoing bytes dropped when using UP-limit feature.
+ - name: dropped_total
+ type: integer
+ description: |
+ Amount of dropped packets (both incoming and outgoing).
+ - name: drops_amount
+ type: integer
+ description: |
+ Amount of multicast packets dropped.
+ - name: dst_country
+ type: keyword
+ description: |
+ Destination country.
+ - name: dst_phone_number
+ type: keyword
+ description: |
+ Destination IP-Phone.
+ - name: dst_user_name
+ type: keyword
+ description: |
+ Connected user name on the destination IP.
+ - name: dstkeyid
+ type: keyword
+ description: |
+ Responder Spi ID.
+ - name: duplicate
+ type: keyword
+ description: |
+ Log marked as duplicated, when mail is split and the Security Gateway sees it twice.
+ - name: duration
+ type: keyword
+ description: "Scan duration. \n"
+ - name: elapsed
+ type: keyword
+ description: |
+ Time passed since start time.
+ - name: email_content
+ type: keyword
+ description: |
+ Mail contents. Possible options: attachments/links & attachments/links/text only.
+ - name: email_control
+ type: keyword
+ description: |
+ Engine name.
+ - name: email_control_analysis
+ type: keyword
+ description: |
+ Message classification, received from spam vendor engine.
+ - name: email_headers
+ type: keyword
+ description: |
+ String containing all the email headers.
+ - name: email_id
+ type: keyword
+ description: |
+ Email number in smtp connection.
+ - name: email_message_id
+ type: keyword
+ description: |
+ Email session id (uniqe ID of the mail).
+ - name: email_queue_id
+ type: keyword
+ description: |
+ Postfix email queue id.
+ - name: email_queue_name
+ type: keyword
+ description: |
+ Postfix email queue name.
+ - name: email_recipients_num
+ type: long
+ description: |
+ Amount of recipients whom the mail was sent to.
+ - name: email_session_id
+ type: keyword
+ description: |
+ Connection uuid.
+ - name: email_spam_category
+ type: keyword
+ description: |
+ Email categories. Possible values: spam/not spam/phishing.
+ - name: email_status
+ type: keyword
+ description: |
+ Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended
+ - name: email_subject
+ type: keyword
+ description: |
+ Original email subject.
+ - name: emulated_on
+ type: keyword
+ description: |
+ Images the files were emulated on.
+ - name: encryption_failure
+ type: keyword
+ description: |
+ Message indicating why the encryption failed.
+ - name: end_time
+ type: keyword
+ description: |
+ TCP connection end time.
+ - name: end_user_firewall_type
+ type: keyword
+ description: |
+ End user firewall type.
+ - name: esod_access_status
+ type: keyword
+ description: |
+ Access denied.
+ - name: esod_associated_policies
+ type: keyword
+ description: |
+ Associated policies.
+ - name: esod_noncompliance_reason
+ type: keyword
+ description: |
+ Non-compliance reason.
+ - name: esod_rule_action
+ type: keyword
+ description: |
+ Unknown rule action.
+ - name: esod_rule_name
+ type: keyword
+ description: |
+ Unknown rule name.
+ - name: esod_rule_type
+ type: keyword
+ description: |
+ Unknown rule type.
+ - name: esod_scan_status
+ type: keyword
+ description: |
+ Scan failed.
+ - name: event_count
+ type: long
+ description: |
+ Number of events associated with the log.
+ - name: expire_time
+ type: keyword
+ description: |
+ Connection closing time.
+ - name: extension_version
+ type: keyword
+ description: |
+ Build version of the SandBlast Agent browser extension.
+ - name: extracted_file_hash
+ type: keyword
+ description: |
+ Archive hash in case of extracted files.
+ - name: extracted_file_names
+ type: keyword
+ description: |
+ Names of extracted files in case of an archive.
+ - name: extracted_file_type
+ type: keyword
+ description: |
+ Types of extracted files in case of an archive.
+ - name: extracted_file_uid
+ type: keyword
+ description: |
+ UID of extracted files in case of an archive.
+ - name: extracted_file_verdict
+ type: keyword
+ description: |
+ Verdict of extracted files in case of an archive.
+ - name: failure_impact
+ type: keyword
+ description: |
+ The impact of update service failure.
+ - name: failure_reason
+ type: keyword
+ description: |
+ MTA failure description.
+ - name: file_direction
+ type: keyword
+ description: |
+ File direction. Possible options: upload/download.
+ - name: file_name
+ type: keyword
+ description: |
+ Malicious file name.
+ - name: files_names
+ type: keyword
+ description: |
+ List of files requested by FTP.
+ - name: first_hit_time
+ type: integer
+ description: |
+ First hit time in current interval.
+ - name: fs-proto
+ type: keyword
+ description: |
+ The file share protocol used in mobile acess file share application.
+ - name: ftp_user
+ type: keyword
+ description: |
+ FTP username.
+ - name: fw_message
+ type: keyword
+ description: |
+ Used for various firewall errors.
+ - name: fw_subproduct
+ type: keyword
+ description: |
+ Can be vpn/non vpn.
+ - name: hide_ip
+ type: ip
+ description: |
+ Source IP which will be used after CGNAT.
+ - name: hit
+ type: integer
+ description: |
+ Number of hits on a rule.
+ - name: host_time
+ type: keyword
+ description: |
+ Local time on the endpoint computer.
+ - name: http_host
+ type: keyword
+ description: |
+ Domain name of the server that the HTTP request is sent to.
+ - name: http_location
+ type: keyword
+ description: |
+ Response header, indicates the URL to redirect a page to.
+ - name: http_server
+ type: keyword
+ description: |
+ Server HTTP header value, contains information about the software used by the origin server, which handles the request.
+ - name: https_inspection_action
+ type: keyword
+ description: |
+ HTTPS inspection action (Inspect/Bypass/Error).
+ - name: https_inspection_rule_id
+ type: keyword
+ description: |
+ ID of the matched rule.
+ - name: https_inspection_rule_name
+ type: keyword
+ description: |
+ Name of the matched rule.
+ - name: https_validation
+ type: keyword
+ description: |
+ Precise error, describing HTTPS inspection failure.
+ - name: icap_more_info
+ type: integer
+ description: |
+ Free text for verdict.
+ - name: icap_server_name
+ type: keyword
+ description: |
+ Server name.
+ - name: icap_server_service
+ type: keyword
+ description: |
+ Service name, as given in the ICAP URI
+ - name: icap_service_id
+ type: integer
+ description: |
+ Service ID, can work with multiple servers, treated as services.
+ - name: icmp
+ type: keyword
+ description: |
+ Number of packets, received by the client.
+ - name: icmp_code
+ type: long
+ description: |
+ In case a connection is ICMP, code info will be added to the log.
+ - name: icmp_type
+ type: long
+ description: |
+ In case a connection is ICMP, type info will be added to the log.
+ - name: id
+ type: integer
+ description: |
+ Override application ID.
+ - name: ike
+ type: keyword
+ description: |
+ IKEMode (PHASE1, PHASE2, etc..).
+ - name: ike_ids
+ type: keyword
+ description: |
+ All QM ids.
+ - name: impacted_files
+ type: keyword
+ description: |
+ In case of an infection on an endpoint computer, the list of files that the malware impacted.
+ - name: incident_extension
+ type: keyword
+ description: |
+ Matched data type.
+ - name: indicator_description
+ type: keyword
+ description: |
+ IOC indicator description.
+ - name: indicator_name
+ type: keyword
+ description: |
+ IOC indicator name.
+ - name: indicator_reference
+ type: keyword
+ description: |
+ IOC indicator reference.
+ - name: indicator_uuid
+ type: keyword
+ description: |
+ IOC indicator uuid.
+ - name: info
+ type: keyword
+ description: |
+ Special log message.
+ - name: information
+ type: keyword
+ description: |
+ Policy installation status for a specific blade.
+ - name: inspection_category
+ type: keyword
+ description: |
+ Inspection category: protocol anomaly, signature etc.
+ - name: inspection_item
+ type: keyword
+ description: |
+ Blade element performed inspection.
+ - name: inspection_profile
+ type: keyword
+ description: |
+ Profile which the activated protection belongs to.
+ - name: inspection_settings_log
+ type: keyword
+ description: |
+ Indicats that the log was released by inspection settings.
+ - name: installed_products
+ type: keyword
+ description: |
+ List of installed Endpoint Software Blades.
+ - name: int_end
+ type: integer
+ description: |
+ Subscriber end int which will be used for NAT.
+ - name: int_start
+ type: integer
+ description: |
+ Subscriber start int which will be used for NAT.
+ - name: interface_name
+ type: keyword
+ description: |
+ Designated interface for mirror And decrypt.
+ - name: internal_error
+ type: keyword
+ description: |
+ Internal error, for troubleshooting
+ - name: invalid_file_size
+ type: integer
+ description: |
+ File_size field is valid only if this field is set to 0.
+ - name: ip_option
+ type: integer
+ description: |
+ IP option that was dropped.
+ - name: isp_link
+ type: keyword
+ description: |
+ Name of ISP link.
+ - name: last_hit_time
+ type: integer
+ description: |
+ Last hit time in current interval.
+ - name: last_rematch_time
+ type: keyword
+ description: |
+ Connection rematched time.
+ - name: layer_name
+ type: keyword
+ description: |
+ Layer name.
+ - name: layer_uuid
+ type: keyword
+ description: |
+ Layer UUID.
+ - name: limit_applied
+ type: integer
+ description: |
+ Indicates whether the session was actually date limited.
+ - name: limit_requested
+ type: integer
+ description: |
+ Indicates whether data limit was requested for the session.
+ - name: link_probing_status_update
+ type: keyword
+ description: |
+ IP address response status.
+ - name: links_num
+ type: integer
+ description: |
+ Number of links in the mail.
+ - name: log_delay
+ type: integer
+ description: |
+ Time left before deleting template.
+ - name: log_id
+ type: integer
+ description: |
+ Unique identity for logs.
+ - name: logid
+ type: keyword
+ description: |
+ System messages
+ - name: long_desc
+ type: keyword
+ description: |
+ More information on the process (usually describing error reason in failure).
+ - name: machine
+ type: keyword
+ description: |
+ L2TP machine which triggered the log and the log refers to it.
+ - name: malware_family
+ type: keyword
+ description: |
+ Additional information on protection.
+ - name: match_fk
+ type: integer
+ description: |
+ Rule number.
+ - name: match_id
+ type: integer
+ description: |
+ Private key of the rule
+ - name: matched_file
+ type: keyword
+ description: |
+ Unique ID of the matched data type.
+ - name: matched_file_percentage
+ type: integer
+ description: |
+ Fingerprint: match percentage of the traffic.
+ - name: matched_file_text_segments
+ type: integer
+ description: |
+ Fingerprint: number of text segments matched by this traffic.
+ - name: media_type
+ type: keyword
+ description: |
+ Media used (audio, video, etc.)
+ - name: message
+ type: keyword
+ description: |
+ ISP link has failed.
+ - name: message_info
+ type: keyword
+ description: |
+ Used for information messages, for example:NAT connection has ended.
+ - name: message_size
+ type: integer
+ description: |
+ Mail/post size.
+ - name: method
+ type: keyword
+ description: |
+ HTTP method.
+ - name: methods
+ type: keyword
+ description: |
+ IPSEc methods.
+ - name: mime_from
+ type: keyword
+ description: |
+ Sender's address.
+ - name: mime_to
+ type: keyword
+ description: |
+ List of receiver address.
+ - name: mirror_and_decrypt_type
+ type: keyword
+ description: |
+ Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass).
+ - name: mitre_collection
+ type: keyword
+ description: |
+ The adversary is trying to collect data of interest to achieve his goal.
+ - name: mitre_command_and_control
+ type: keyword
+ description: |
+ The adversary is trying to communicate with compromised systems in order to control them.
+ - name: mitre_credential_access
+ type: keyword
+ description: |
+ The adversary is trying to steal account names and passwords.
+ - name: mitre_defense_evasion
+ type: keyword
+ description: |
+ The adversary is trying to avoid being detected.
+ - name: mitre_discovery
+ type: keyword
+ description: |
+ The adversary is trying to expose information about your environment.
+ - name: mitre_execution
+ type: keyword
+ description: |
+ The adversary is trying to run malicious code.
+ - name: mitre_exfiltration
+ type: keyword
+ description: |
+ The adversary is trying to steal data.
+ - name: mitre_impact
+ type: keyword
+ description: |
+ The adversary is trying to manipulate, interrupt, or destroy your systems and data.
+ - name: mitre_initial_access
+ type: keyword
+ description: |
+ The adversary is trying to break into your network.
+ - name: mitre_lateral_movement
+ type: keyword
+ description: |
+ The adversary is trying to explore your environment.
+ - name: mitre_persistence
+ type: keyword
+ description: |
+ The adversary is trying to maintain his foothold.
+ - name: mitre_privilege_escalation
+ type: keyword
+ description: |
+ The adversary is trying to gain higher-level permissions.
+ - name: monitor_reason
+ type: keyword
+ description: |
+ Aggregated logs of monitored packets.
+ - name: msgid
+ type: keyword
+ description: |
+ Message ID.
+ - name: name
+ type: keyword
+ description: |
+ Application name.
+ - name: nat46
+ type: keyword
+ description: |
+ NAT 46 status, in most cases "enabled".
+ - name: nat_addtnl_rulenum
+ type: integer
+ description: |
+ When matching 2 automatic rules , second rule match will be shown otherwise field will be 0.
+ - name: nat_exhausted_pool
+ type: keyword
+ description: |
+ 4-tuple of an exhausted pool.
+ - name: nat_rulenum
+ type: integer
+ description: |
+ NAT rulebase first matched rule.
+ - name: needs_browse_time
+ type: integer
+ description: |
+ Browse time required for the connection.
+ - name: next_hop_ip
+ type: keyword
+ description: |
+ Next hop IP address.
+ - name: next_scheduled_scan_date
+ type: keyword
+ description: |
+ Next scan scheduled time according to time object.
+ - name: number_of_errors
+ type: integer
+ description: |
+ Number of files that were not scanned due to an error.
+ - name: objecttable
+ type: keyword
+ description: |
+ Table of affected objects.
+ - name: objecttype
+ type: keyword
+ description: |
+ The type of the affected object.
+ - name: observable_comment
+ type: keyword
+ description: |
+ IOC observable signature description.
+ - name: observable_id
+ type: keyword
+ description: |
+ IOC observable signature id.
+ - name: observable_name
+ type: keyword
+ description: |
+ IOC observable signature name.
+ - name: operation
+ type: keyword
+ description: |
+ Operation made by Threat Extraction.
+ - name: operation_number
+ type: keyword
+ description: |
+ The operation nuber.
+ - name: origin_sic_name
+ type: keyword
+ description: |
+ Machine SIC.
+ - name: original_queue_id
+ type: keyword
+ description: |
+ Original postfix email queue id.
+ - name: outgoing_url
+ type: keyword
+ description: |
+ URL related to this log (for HTTP).
+ - name: packet_amount
+ type: integer
+ description: |
+ Amount of packets dropped.
+ - name: packet_capture_unique_id
+ type: keyword
+ description: |
+ Identifier of the packet capture files.
+ - name: parent_file_hash
+ type: keyword
+ description: |
+ Archive's hash in case of extracted files.
+ - name: parent_file_name
+ type: keyword
+ description: |
+ Archive's name in case of extracted files.
+ - name: parent_file_uid
+ type: keyword
+ description: |
+ Archive's UID in case of extracted files.
+ - name: parent_process_username
+ type: keyword
+ description: |
+ Owner username of the parent process of the process that triggered the attack.
+ - name: parent_rule
+ type: integer
+ description: |
+ Parent rule number, in case of inline layer.
+ - name: peer_gateway
+ type: ip
+ description: |
+ Main IP of the peer Security Gateway.
+ - name: peer_ip
+ type: keyword
+ description: |
+ IP address which the client connects to.
+ - name: peer_ip_probing_status_update
+ type: keyword
+ description: |
+ IP address response status.
+ - name: performance_impact
+ type: integer
+ description: |
+ Protection performance impact.
+ - name: policy_mgmt
+ type: keyword
+ description: |
+ Name of the Management Server that manages this Security Gateway.
+ - name: policy_name
+ type: keyword
+ description: |
+ Name of the last policy that this Security Gateway fetched.
+ - name: ports_usage
+ type: integer
+ description: |
+ Percentage of allocated ports.
+ - name: ppp
+ type: keyword
+ description: |
+ Authentication status.
+ - name: precise_error
+ type: keyword
+ description: |
+ HTTP parser error.
+ - name: process_username
+ type: keyword
+ description: |
+ Owner username of the process that triggered the attack.
+ - name: properties
+ type: keyword
+ description: |
+ Application categories.
+ - name: protection_id
+ type: keyword
+ description: |
+ Protection malware id.
+ - name: protection_name
+ type: keyword
+ description: |
+ Specific signature name of the attack.
+ - name: protection_type
+ type: keyword
+ description: |
+ Type of protection used to detect the attack.
+ - name: protocol
+ type: keyword
+ description: |
+ Protocol detected on the connection.
+ - name: proxy_machine_name
+ type: integer
+ description: |
+ Machine name connected to proxy IP.
+ - name: proxy_src_ip
+ type: ip
+ description: |
+ Sender source IP (even when using proxy).
+ - name: proxy_user_dn
+ type: keyword
+ description: |
+ User distinguished name connected to proxy IP.
+ - name: proxy_user_name
+ type: keyword
+ description: |
+ User name connected to proxy IP.
+ - name: query
+ type: keyword
+ description: |
+ DNS query.
+ - name: question_rdata
+ type: keyword
+ description: |
+ List of question records domains.
+ - name: referrer
+ type: keyword
+ description: |
+ Referrer HTTP request header, previous web page address.
+ - name: referrer_parent_uid
+ type: keyword
+ description: |
+ Log UUID of the referring application.
+ - name: referrer_self_uid
+ type: keyword
+ description: |
+ UUID of the current log.
+ - name: registered_ip-phones
+ type: keyword
+ description: |
+ Registered IP-Phones.
+ - name: reject_category
+ type: keyword
+ description: |
+ Authentication failure reason.
+ - name: reject_id
+ type: keyword
+ description: |
+ A reject ID that corresponds to the one presented in the Mobile Access error page.
+ - name: rematch_info
+ type: keyword
+ description: |
+ Information sent when old connections cannot be matched during policy installation.
+ - name: remediated_files
+ type: keyword
+ description: |
+ In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer.
+ - name: reply_status
+ type: integer
+ description: |
+ ICAP reply status code, e.g. 200 or 204.
+ - name: risk
+ type: keyword
+ description: |
+ Risk level we got from the engine.
+ - name: rpc_prog
+ type: integer
+ description: |
+ Log for new RPC state - prog values.
+ - name: rule
+ type: integer
+ description: |
+ Matched rule number.
+ - name: rule_action
+ type: keyword
+ description: |
+ Action of the matched rule in the access policy.
+ - name: rulebase_id
+ type: integer
+ description: |
+ Layer number.
+ - name: scan_direction
+ type: keyword
+ description: |
+ Scan direction.
+ - name: scan_hosts_day
+ type: integer
+ description: |
+ Number of unique hosts during the last day.
+ - name: scan_hosts_hour
+ type: integer
+ description: |
+ Number of unique hosts during the last hour.
+ - name: scan_hosts_week
+ type: integer
+ description: |
+ Number of unique hosts during the last week.
+ - name: scan_id
+ type: keyword
+ description: |
+ Sequential number of scan.
+ - name: scan_mail
+ type: integer
+ description: |
+ Number of emails that were scanned by "AB malicious activity" engine.
+ - name: scan_results
+ type: keyword
+ description: |
+ "Infected"/description of a failure.
+ - name: scheme
+ type: keyword
+ description: |
+ Describes the scheme used for the log.
+ - name: scope
+ type: keyword
+ description: |
+ IP related to the attack.
+ - name: scrub_activity
+ type: keyword
+ description: |
+ The result of the extraction
+ - name: scrub_download_time
+ type: keyword
+ description: |
+ File download time from resource.
+ - name: scrub_time
+ type: keyword
+ description: |
+ Extraction process duration.
+ - name: scrub_total_time
+ type: keyword
+ description: |
+ Threat extraction total file handling time.
+ - name: scrubbed_content
+ type: keyword
+ description: |
+ Active content that was found.
+ - name: sctp_association_state
+ type: keyword
+ description: |
+ The bad state you were trying to update to.
+ - name: sctp_error
+ type: keyword
+ description: |
+ Error information, what caused sctp to fail on out_of_state.
+ - name: scv_message_info
+ type: keyword
+ description: |
+ Drop reason.
+ - name: scv_user
+ type: keyword
+ description: |
+ Username whose packets are dropped on SCV.
+ - name: securexl_message
+ type: keyword
+ description: |
+ Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop.
+ - name: session_id
+ type: keyword
+ description: |
+ Log uuid.
+ - name: session_uid
+ type: keyword
+ description: |
+ HTTP session-id.
+ - name: short_desc
+ type: keyword
+ description: |
+ Short description of the process that was executed.
+ - name: sig_id
+ type: keyword
+ description: |
+ Application's signature ID which how it was detected by.
+ - name: similar_communication
+ type: keyword
+ description: |
+ Network action found similar to the malicious file.
+ - name: similar_hashes
+ type: keyword
+ description: |
+ Hashes found similar to the malicious file.
+ - name: similar_strings
+ type: keyword
+ description: |
+ Strings found similar to the malicious file.
+ - name: similiar_iocs
+ type: keyword
+ description: |
+ Other IoCs similar to the ones found, related to the malicious file.
+ - name: sip_reason
+ type: keyword
+ description: |
+ Explains why 'source_ip' isn't allowed to redirect (handover).
+ - name: site_name
+ type: keyword
+ description: |
+ Site name.
+ - name: source_interface
+ type: keyword
+ description: |
+ External Interface name for source interface or Null if not found.
+ - name: source_object
+ type: keyword
+ description: |
+ Matched object name on source column.
+ - name: source_os
+ type: keyword
+ description: |
+ OS which generated the attack.
+ - name: special_properties
+ type: integer
+ description: |
+ If this field is set to '1' the log will not be shown (in use for monitoring scan progress).
+ - name: specific_data_type_name
+ type: keyword
+ description: |
+ Compound/Group scenario, data type that was matched.
+ - name: speed
+ type: integer
+ description: |
+ Current scan speed.
+ - name: spyware_name
+ type: keyword
+ description: |
+ Spyware name.
+ - name: spyware_type
+ type: keyword
+ description: |
+ Spyware type.
+ - name: src_country
+ type: keyword
+ description: |
+ Country name, derived from connection source IP address.
+ - name: src_phone_number
+ type: keyword
+ description: |
+ Source IP-Phone.
+ - name: src_user_dn
+ type: keyword
+ description: |
+ User distinguished name connected to source IP.
+ - name: src_user_name
+ type: keyword
+ description: |
+ User name connected to source IP
+ - name: srckeyid
+ type: keyword
+ description: |
+ Initiator Spi ID.
+ - name: status
+ type: keyword
+ description: |
+ Ok/Warning/Error.
+ - name: status_update
+ type: keyword
+ description: |
+ Last time log was updated.
+ - name: sub_policy_name
+ type: keyword
+ description: |
+ Layer name.
+ - name: sub_policy_uid
+ type: keyword
+ description: |
+ Layer uid.
+ - name: subscriber
+ type: ip
+ description: |
+ Source IP before CGNAT.
+ - name: summary
+ type: keyword
+ description: |
+ Summary message of a non-compliant DNS traffic drops or detects.
+ - name: suppressed_logs
+ type: integer
+ description: |
+ Aggregated connections for five minutes on the same source, destination and port.
+ - name: sync
+ type: keyword
+ description: |
+ Sync status and the reason (stable, at risk).
+ - name: sys_message
+ type: keyword
+ description: |
+ System messages
+ - name: tcp_end_reason
+ type: keyword
+ description: |
+ Reason for TCP connection closure.
+ - name: tcp_flags
+ type: keyword
+ description: |
+ TCP packet flags (SYN, ACK, etc.,).
+ - name: tcp_packet_out_of_state
+ type: keyword
+ description: |
+ State violation.
+ - name: tcp_state
+ type: keyword
+ description: |
+ Log reinting a tcp state change.
+ - name: te_verdict_determined_by
+ type: keyword
+ description: |
+ Emulators determined file verdict.
+ - name: ticket_id
+ type: keyword
+ description: |
+ Unique ID per file.
+ - name: tls_server_host_name
+ type: keyword
+ description: |
+ SNI/CN from encrypted TLS connection used by URLF for categorization.
+ - name: top_archive_file_name
+ type: keyword
+ description: |
+ In case of archive file: the file that was sent/received.
+ - name: total_attachments
+ type: integer
+ description: |
+ The number of attachments in an email.
+ - name: triggered_by
+ type: keyword
+ description: |
+ The name of the mechanism that triggered the Software Blade to enforce a protection.
+ - name: trusted_domain
+ type: keyword
+ description: In case of phishing event, the domain, which the attacker was impersonating.
+ - name: unique_detected_day
+ type: integer
+ description: |
+ Detected virus for a specific host during the last day.
+ - name: unique_detected_hour
+ type: integer
+ description: |
+ Detected virus for a specific host during the last hour.
+ - name: unique_detected_week
+ type: integer
+ description: |
+ Detected virus for a specific host during the last week.
+ - name: update_status
+ type: keyword
+ description: Status of database update
+ - name: url
+ type: keyword
+ description: |
+ Translated URL.
+ - name: user
+ type: keyword
+ description: |
+ Source user name.
+ - name: user_agent
+ type: keyword
+ description: |
+ String identifying requesting software user agent.
+ - name: vendor_list
+ type: keyword
+ description: |
+ The vendor name that provided the verdict for a malicious URL.
+ - name: verdict
+ type: keyword
+ description: |
+ TE engine verdict Possible values: Malicious/Benign/Error.
+ - name: via
+ type: keyword
+ description: |
+ Via header is added by proxies for tracking purposes to avoid sending reqests in loop.
+ - name: voip_attach_action_info
+ type: keyword
+ description: |
+ Attachment action Info.
+ - name: voip_attach_sz
+ type: integer
+ description: |
+ Attachment size.
+ - name: voip_call_dir
+ type: keyword
+ description: |
+ Call direction: in/out.
+ - name: voip_call_id
+ type: keyword
+ description: |
+ Call-ID.
+ - name: voip_call_state
+ type: keyword
+ description: |
+ Call state. Possible values: in/out.
+ - name: voip_call_term_time
+ type: keyword
+ description: |
+ Call termination time stamp.
+ - name: voip_config
+ type: keyword
+ description: |
+ Configuration.
+ - name: voip_duration
+ type: keyword
+ description: |
+ Call duration (seconds).
+ - name: voip_est_codec
+ type: keyword
+ description: |
+ Estimated codec.
+ - name: voip_exp
+ type: integer
+ description: |
+ Expiration.
+ - name: voip_from_user_type
+ type: keyword
+ description: |
+ Source IP-Phone type.
+ - name: voip_log_type
+ type: keyword
+ description: |
+ VoIP log types. Possible values: reject, call, registration.
+ - name: voip_media_codec
+ type: keyword
+ description: |
+ Estimated codec.
+ - name: voip_media_ipp
+ type: keyword
+ description: |
+ Media IP protocol.
+ - name: voip_media_port
+ type: keyword
+ description: |
+ Media int.
+ - name: voip_method
+ type: keyword
+ description: |
+ Registration request.
+ - name: voip_reason_info
+ type: keyword
+ description: |
+ Information.
+ - name: voip_reg_int
+ type: integer
+ description: |
+ Registration port.
+ - name: voip_reg_ipp
+ type: integer
+ description: |
+ Registration IP protocol.
+ - name: voip_reg_period
+ type: integer
+ description: |
+ Registration period.
+ - name: voip_reg_server
+ type: ip
+ description: |
+ Registrar server IP address.
+ - name: voip_reg_user_type
+ type: keyword
+ description: |
+ Registered IP-Phone type.
+ - name: voip_reject_reason
+ type: keyword
+ description: |
+ Reject reason.
+ - name: voip_to_user_type
+ type: keyword
+ description: |
+ Destination IP-Phone type.
+ - name: vpn_feature_name
+ type: keyword
+ description: |
+ L2TP /IKE / Link Selection.
+ - name: watermark
+ type: keyword
+ description: |
+ Reports whether watermark is added to the cleaned file.
+ - name: web_server_type
+ type: keyword
+ description: |
+ Web server detected in the HTTP response.
+ - name: word_list
+ type: keyword
+ description: |
+ Words matched by data type.
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/manifest.yml b/packages/checkpoint/1.5.1/data_stream/firewall/manifest.yml
new file mode 100755
index 0000000000..f3ae072599
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/manifest.yml
@@ -0,0 +1,133 @@
+type: logs
+title: Check Point firewall logs
+streams:
+ - input: udp
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: udp.yml.hbs
+ title: Check Point firewall logs (syslog over UDP)
+ description: Collect Check Point firewall logs using udp input
+ - input: tcp
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - name: tcp_options
+ type: yaml
+ title: Custom TCP Options
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #max_connections: 1
+ #framing: delimitier
+ #line_delimiter: "\n"
+ description: Specify custom configuration options for the TCP input.
+ template_path: tcp.yml.hbs
+ title: Check Point firewall logs (syslog over TCP)
+ description: Collect Check Point firewall logs using tcp input
+ - input: logfile
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: log.yml.hbs
+ title: Check Point firewall logs (log)
+ description: Collect Check Point firewall logs using log input
diff --git a/packages/checkpoint/1.5.1/data_stream/firewall/sample_event.json b/packages/checkpoint/1.5.1/data_stream/firewall/sample_event.json
new file mode 100755
index 0000000000..a375c48028
--- /dev/null
+++ b/packages/checkpoint/1.5.1/data_stream/firewall/sample_event.json
@@ -0,0 +1,64 @@
+{
+ "@timestamp": "2020-03-29T13:19:20.000Z",
+ "agent": {
+ "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5",
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "checkpoint": {
+ "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
+ },
+ "data_stream": {
+ "dataset": "checkpoint.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "network"
+ ],
+ "created": "2021-12-25T09:18:51.178Z",
+ "dataset": "checkpoint.firewall",
+ "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}",
+ "ingested": "2021-12-25T09:18:52Z",
+ "kind": "event",
+ "sequence": 1,
+ "timezone": "+00:00"
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "source": {
+ "address": "192.168.32.7:52492"
+ }
+ },
+ "network": {
+ "direction": "inbound"
+ },
+ "observer": {
+ "ingress": {
+ "interface": {
+ "name": "daemon"
+ }
+ },
+ "name": "192.168.1.100",
+ "product": "System Monitor",
+ "type": "firewall",
+ "vendor": "Checkpoint"
+ },
+ "tags": [
+ "forwarded"
+ ]
+}
\ No newline at end of file
diff --git a/packages/checkpoint/1.5.1/docs/README.md b/packages/checkpoint/1.5.1/docs/README.md
new file mode 100755
index 0000000000..fc59623876
--- /dev/null
+++ b/packages/checkpoint/1.5.1/docs/README.md
@@ -0,0 +1,671 @@
+# Check Point Integration
+
+This integration is for [Check Point](https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.8%20) products. It includes the
+following datasets for receiving logs:
+
+- `firewall` dataset: consists of log entries from the [Log Exporter](
+ https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323)
+ in the Syslog format.
+
+## Compatibility
+
+This module has been tested against Check Point Log Exporter on R80.X but should also work with R77.30.
+
+## Logs
+
+### Firewall
+
+Consists of log entries from the Log Exporter in the Syslog format.
+
+An example event for `firewall` looks as following:
+
+```json
+{
+ "@timestamp": "2020-03-29T13:19:20.000Z",
+ "agent": {
+ "ephemeral_id": "7c0059da-6518-4067-9e8d-0f1b316dfef5",
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "checkpoint": {
+ "sys_message": "The eth0 interface is not protected by the anti-spoofing feature. Your network may be at risk"
+ },
+ "data_stream": {
+ "dataset": "checkpoint.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ba9ee39d-37f1-433a-8800-9d424cb9dd11",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": [
+ "network"
+ ],
+ "created": "2021-12-25T09:18:51.178Z",
+ "dataset": "checkpoint.firewall",
+ "id": "{0x5e80a059,0x0,0x6401a8c0,0x3c7878a}",
+ "ingested": "2021-12-25T09:18:52Z",
+ "kind": "event",
+ "sequence": 1,
+ "timezone": "+00:00"
+ },
+ "input": {
+ "type": "udp"
+ },
+ "log": {
+ "source": {
+ "address": "192.168.32.7:52492"
+ }
+ },
+ "network": {
+ "direction": "inbound"
+ },
+ "observer": {
+ "ingress": {
+ "interface": {
+ "name": "daemon"
+ }
+ },
+ "name": "192.168.1.100",
+ "product": "System Monitor",
+ "type": "firewall",
+ "vendor": "Checkpoint"
+ },
+ "tags": [
+ "forwarded"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| checkpoint.action_reason | Connection drop reason. | integer |
+| checkpoint.action_reason_msg | Connection drop reason message. | keyword |
+| checkpoint.additional_info | ID of original file/mail which are sent by admin. | keyword |
+| checkpoint.additional_ip | DNS host name. | keyword |
+| checkpoint.additional_rdata | List of additional resource records. | keyword |
+| checkpoint.alert | Alert level of matched rule (for connection logs). | keyword |
+| checkpoint.allocated_ports | Amount of allocated ports. | integer |
+| checkpoint.analyzed_on | Check Point ThreatCloud / emulator name. | keyword |
+| checkpoint.answer_rdata | List of answer resource records to the questioned domains. | keyword |
+| checkpoint.anti_virus_type | Anti virus type. | keyword |
+| checkpoint.app_desc | Application description. | keyword |
+| checkpoint.app_id | Application ID. | integer |
+| checkpoint.app_package | Unique identifier of the application on the protected mobile device. | keyword |
+| checkpoint.app_properties | List of all found categories. | keyword |
+| checkpoint.app_repackaged | Indicates whether the original application was repackage not by the official developer. | keyword |
+| checkpoint.app_sid_id | Unique SHA identifier of a mobile application. | keyword |
+| checkpoint.app_sig_id | IOC indicator description. | keyword |
+| checkpoint.app_version | Version of the application downloaded on the protected mobile device. | keyword |
+| checkpoint.appi_name | Name of application downloaded on the protected mobile device. | keyword |
+| checkpoint.arrival_time | Email arrival timestamp. | keyword |
+| checkpoint.attachments_num | Number of attachments in the mail. | integer |
+| checkpoint.attack_status | In case of a malicious event on an endpoint computer, the status of the attack. | keyword |
+| checkpoint.audit_status | Audit Status. Can be Success or Failure. | keyword |
+| checkpoint.auth_method | Password authentication protocol used (PAP or EAP). | keyword |
+| checkpoint.authority_rdata | List of authoritative servers. | keyword |
+| checkpoint.authorization | Authorization HTTP header value. | keyword |
+| checkpoint.bcc | List of BCC addresses. | keyword |
+| checkpoint.blade_name | Blade name. | keyword |
+| checkpoint.broker_publisher | IP address of the broker publisher who shared the session information. | ip |
+| checkpoint.browse_time | Application session browse time. | keyword |
+| checkpoint.c_bytes | Boolean value indicates whether bytes sent from the client side are used. | integer |
+| checkpoint.calc_desc | Log description. | keyword |
+| checkpoint.capacity | Capacity of the ports. | integer |
+| checkpoint.capture_uuid | UUID generated for the capture. Used when enabling the capture when logging. | keyword |
+| checkpoint.cc | The Carbon Copy address of the email. | keyword |
+| checkpoint.certificate_resource | HTTPS resource Possible values: SNI or domain name (DN). | keyword |
+| checkpoint.certificate_validation | Precise error, describing HTTPS certificate failure under "HTTPS categorize websites" feature. | keyword |
+| checkpoint.cgnet | Describes NAT allocation for specific subscriber. | keyword |
+| checkpoint.chunk_type | Chunck of the sctp stream. | keyword |
+| checkpoint.client_name | Client Application or Software Blade that detected the event. | keyword |
+| checkpoint.client_type | Endpoint Connect. | keyword |
+| checkpoint.client_type_os | Client OS detected in the HTTP request. | keyword |
+| checkpoint.client_version | Build version of SandBlast Agent client installed on the computer. | keyword |
+| checkpoint.cluster_info | Cluster information. Possible options: Failover reason/cluster state changes/CP cluster or 3rd party. | keyword |
+| checkpoint.comment | | keyword |
+| checkpoint.community | Community name for the IPSec key and the use of the IKEv. | keyword |
+| checkpoint.confidence_level | Confidence level determined by ThreatCloud. | integer |
+| checkpoint.conn_direction | Connection direction | keyword |
+| checkpoint.connection_uid | Calculation of md5 of the IP and user name as UID. | keyword |
+| checkpoint.connectivity_level | Log for a new connection in wire mode. | keyword |
+| checkpoint.conns_amount | Connections amount of aggregated log info. | integer |
+| checkpoint.content_disposition | Indicates how the content is expected to be displayed inline in the browser. | keyword |
+| checkpoint.content_length | Indicates the size of the entity-body of the HTTP header. | keyword |
+| checkpoint.content_risk | File risk. | integer |
+| checkpoint.content_type | Mail content type. Possible values: application/msword, text/html, image/gif etc. | keyword |
+| checkpoint.context_num | Serial number of the log for a specific connection. | integer |
+| checkpoint.cookieI | Initiator cookie. | keyword |
+| checkpoint.cookieR | Responder cookie. | keyword |
+| checkpoint.cp_message | Used to log a general message. | integer |
+| checkpoint.cvpn_category | Mobile Access application type. | keyword |
+| checkpoint.cvpn_resource | Mobile Access application. | keyword |
+| checkpoint.data_type_name | Data type in rulebase that was matched. | keyword |
+| checkpoint.db_ver | Database version | keyword |
+| checkpoint.dce-rpc_interface_uuid | Log for new RPC state - UUID values | keyword |
+| checkpoint.delivery_time | Timestamp of when email was delivered (MTA finished handling the email. | keyword |
+| checkpoint.desc | Override application description. | keyword |
+| checkpoint.description | Additional explanation how the security gateway enforced the connection. | keyword |
+| checkpoint.destination_object | Matched object name on destination column. | keyword |
+| checkpoint.detected_on | System and applications version the file was emulated on. | keyword |
+| checkpoint.developer_certificate_name | Name of the developer's certificate that was used to sign the mobile application. | keyword |
+| checkpoint.diameter_app_ID | The ID of diameter application. | integer |
+| checkpoint.diameter_cmd_code | Diameter not allowed application command id. | integer |
+| checkpoint.diameter_msg_type | Diameter message type. | keyword |
+| checkpoint.dlp_action_reason | Action chosen reason. | keyword |
+| checkpoint.dlp_additional_action | Watermark/None. | keyword |
+| checkpoint.dlp_categories | Data type category. | keyword |
+| checkpoint.dlp_data_type_name | Matched data type. | keyword |
+| checkpoint.dlp_data_type_uid | Unique ID of the matched data type. | keyword |
+| checkpoint.dlp_fingerprint_files_number | Number of successfully scanned files in repository. | integer |
+| checkpoint.dlp_fingerprint_long_status | Scan status - long format. | keyword |
+| checkpoint.dlp_fingerprint_short_status | Scan status - short format. | keyword |
+| checkpoint.dlp_incident_uid | Unique ID of the matched rule. | keyword |
+| checkpoint.dlp_recipients | Mail recipients. | keyword |
+| checkpoint.dlp_related_incident_uid | Other ID related to this one. | keyword |
+| checkpoint.dlp_relevant_data_types | In case of Compound/Group: the inner data types that were matched. | keyword |
+| checkpoint.dlp_repository_directories_number | Number of directories in repository. | integer |
+| checkpoint.dlp_repository_files_number | Number of files in repository. | integer |
+| checkpoint.dlp_repository_id | ID of scanned repository. | keyword |
+| checkpoint.dlp_repository_not_scanned_directories_percentage | Percentage of directories the Security Gateway was unable to read. | integer |
+| checkpoint.dlp_repository_reached_directories_number | Number of scanned directories in repository. | integer |
+| checkpoint.dlp_repository_root_path | Repository path. | keyword |
+| checkpoint.dlp_repository_scan_progress | Scan percentage. | integer |
+| checkpoint.dlp_repository_scanned_directories_number | Amount of directories scanned. | integer |
+| checkpoint.dlp_repository_scanned_files_number | Number of scanned files in repository. | integer |
+| checkpoint.dlp_repository_scanned_total_size | Size scanned. | integer |
+| checkpoint.dlp_repository_skipped_files_number | Skipped number of files because of configuration. | integer |
+| checkpoint.dlp_repository_total_size | Repository size. | integer |
+| checkpoint.dlp_repository_unreachable_directories_number | Number of directories the Security Gateway was unable to read. | integer |
+| checkpoint.dlp_rule_name | Matched rule name. | keyword |
+| checkpoint.dlp_subject | Mail subject. | keyword |
+| checkpoint.dlp_template_score | Template data type match score. | keyword |
+| checkpoint.dlp_transint | HTTP/SMTP/FTP. | keyword |
+| checkpoint.dlp_violation_description | Violation descriptions described in the rulebase. | keyword |
+| checkpoint.dlp_watermark_profile | Watermark which was applied. | keyword |
+| checkpoint.dlp_word_list | Phrases matched by data type. | keyword |
+| checkpoint.dns_query | DNS query. | keyword |
+| checkpoint.drop_reason | Drop reason description. | keyword |
+| checkpoint.dropped_file_hash | List of file hashes dropped from the original file. | keyword |
+| checkpoint.dropped_file_name | List of names dropped from the original file. | keyword |
+| checkpoint.dropped_file_type | List of file types dropped from the original file. | keyword |
+| checkpoint.dropped_file_verdict | List of file verdics dropped from the original file. | keyword |
+| checkpoint.dropped_incoming | Number of incoming bytes dropped when using UP-limit feature. | integer |
+| checkpoint.dropped_outgoing | Number of outgoing bytes dropped when using UP-limit feature. | integer |
+| checkpoint.dropped_total | Amount of dropped packets (both incoming and outgoing). | integer |
+| checkpoint.drops_amount | Amount of multicast packets dropped. | integer |
+| checkpoint.dst_country | Destination country. | keyword |
+| checkpoint.dst_phone_number | Destination IP-Phone. | keyword |
+| checkpoint.dst_user_name | Connected user name on the destination IP. | keyword |
+| checkpoint.dstkeyid | Responder Spi ID. | keyword |
+| checkpoint.duplicate | Log marked as duplicated, when mail is split and the Security Gateway sees it twice. | keyword |
+| checkpoint.duration | Scan duration. | keyword |
+| checkpoint.elapsed | Time passed since start time. | keyword |
+| checkpoint.email_content | Mail contents. Possible options: attachments/links & attachments/links/text only. | keyword |
+| checkpoint.email_control | Engine name. | keyword |
+| checkpoint.email_control_analysis | Message classification, received from spam vendor engine. | keyword |
+| checkpoint.email_headers | String containing all the email headers. | keyword |
+| checkpoint.email_id | Email number in smtp connection. | keyword |
+| checkpoint.email_message_id | Email session id (uniqe ID of the mail). | keyword |
+| checkpoint.email_queue_id | Postfix email queue id. | keyword |
+| checkpoint.email_queue_name | Postfix email queue name. | keyword |
+| checkpoint.email_recipients_num | Amount of recipients whom the mail was sent to. | long |
+| checkpoint.email_session_id | Connection uuid. | keyword |
+| checkpoint.email_spam_category | Email categories. Possible values: spam/not spam/phishing. | keyword |
+| checkpoint.email_status | Describes the email's state. Possible options: delivered, deferred, skipped, bounced, hold, new, scan_started, scan_ended | keyword |
+| checkpoint.email_subject | Original email subject. | keyword |
+| checkpoint.emulated_on | Images the files were emulated on. | keyword |
+| checkpoint.encryption_failure | Message indicating why the encryption failed. | keyword |
+| checkpoint.end_time | TCP connection end time. | keyword |
+| checkpoint.end_user_firewall_type | End user firewall type. | keyword |
+| checkpoint.esod_access_status | Access denied. | keyword |
+| checkpoint.esod_associated_policies | Associated policies. | keyword |
+| checkpoint.esod_noncompliance_reason | Non-compliance reason. | keyword |
+| checkpoint.esod_rule_action | Unknown rule action. | keyword |
+| checkpoint.esod_rule_name | Unknown rule name. | keyword |
+| checkpoint.esod_rule_type | Unknown rule type. | keyword |
+| checkpoint.esod_scan_status | Scan failed. | keyword |
+| checkpoint.event_count | Number of events associated with the log. | long |
+| checkpoint.expire_time | Connection closing time. | keyword |
+| checkpoint.extension_version | Build version of the SandBlast Agent browser extension. | keyword |
+| checkpoint.extracted_file_hash | Archive hash in case of extracted files. | keyword |
+| checkpoint.extracted_file_names | Names of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_type | Types of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_uid | UID of extracted files in case of an archive. | keyword |
+| checkpoint.extracted_file_verdict | Verdict of extracted files in case of an archive. | keyword |
+| checkpoint.failure_impact | The impact of update service failure. | keyword |
+| checkpoint.failure_reason | MTA failure description. | keyword |
+| checkpoint.file_direction | File direction. Possible options: upload/download. | keyword |
+| checkpoint.file_name | Malicious file name. | keyword |
+| checkpoint.files_names | List of files requested by FTP. | keyword |
+| checkpoint.first_hit_time | First hit time in current interval. | integer |
+| checkpoint.fs-proto | The file share protocol used in mobile acess file share application. | keyword |
+| checkpoint.ftp_user | FTP username. | keyword |
+| checkpoint.fw_message | Used for various firewall errors. | keyword |
+| checkpoint.fw_subproduct | Can be vpn/non vpn. | keyword |
+| checkpoint.hide_ip | Source IP which will be used after CGNAT. | ip |
+| checkpoint.hit | Number of hits on a rule. | integer |
+| checkpoint.host_time | Local time on the endpoint computer. | keyword |
+| checkpoint.http_host | Domain name of the server that the HTTP request is sent to. | keyword |
+| checkpoint.http_location | Response header, indicates the URL to redirect a page to. | keyword |
+| checkpoint.http_server | Server HTTP header value, contains information about the software used by the origin server, which handles the request. | keyword |
+| checkpoint.https_inspection_action | HTTPS inspection action (Inspect/Bypass/Error). | keyword |
+| checkpoint.https_inspection_rule_id | ID of the matched rule. | keyword |
+| checkpoint.https_inspection_rule_name | Name of the matched rule. | keyword |
+| checkpoint.https_validation | Precise error, describing HTTPS inspection failure. | keyword |
+| checkpoint.icap_more_info | Free text for verdict. | integer |
+| checkpoint.icap_server_name | Server name. | keyword |
+| checkpoint.icap_server_service | Service name, as given in the ICAP URI | keyword |
+| checkpoint.icap_service_id | Service ID, can work with multiple servers, treated as services. | integer |
+| checkpoint.icmp | Number of packets, received by the client. | keyword |
+| checkpoint.icmp_code | In case a connection is ICMP, code info will be added to the log. | long |
+| checkpoint.icmp_type | In case a connection is ICMP, type info will be added to the log. | long |
+| checkpoint.id | Override application ID. | integer |
+| checkpoint.ike | IKEMode (PHASE1, PHASE2, etc..). | keyword |
+| checkpoint.ike_ids | All QM ids. | keyword |
+| checkpoint.impacted_files | In case of an infection on an endpoint computer, the list of files that the malware impacted. | keyword |
+| checkpoint.incident_extension | Matched data type. | keyword |
+| checkpoint.indicator_description | IOC indicator description. | keyword |
+| checkpoint.indicator_name | IOC indicator name. | keyword |
+| checkpoint.indicator_reference | IOC indicator reference. | keyword |
+| checkpoint.indicator_uuid | IOC indicator uuid. | keyword |
+| checkpoint.info | Special log message. | keyword |
+| checkpoint.information | Policy installation status for a specific blade. | keyword |
+| checkpoint.inspection_category | Inspection category: protocol anomaly, signature etc. | keyword |
+| checkpoint.inspection_item | Blade element performed inspection. | keyword |
+| checkpoint.inspection_profile | Profile which the activated protection belongs to. | keyword |
+| checkpoint.inspection_settings_log | Indicats that the log was released by inspection settings. | keyword |
+| checkpoint.installed_products | List of installed Endpoint Software Blades. | keyword |
+| checkpoint.int_end | Subscriber end int which will be used for NAT. | integer |
+| checkpoint.int_start | Subscriber start int which will be used for NAT. | integer |
+| checkpoint.interface_name | Designated interface for mirror And decrypt. | keyword |
+| checkpoint.internal_error | Internal error, for troubleshooting | keyword |
+| checkpoint.invalid_file_size | File_size field is valid only if this field is set to 0. | integer |
+| checkpoint.ip_option | IP option that was dropped. | integer |
+| checkpoint.isp_link | Name of ISP link. | keyword |
+| checkpoint.last_hit_time | Last hit time in current interval. | integer |
+| checkpoint.last_rematch_time | Connection rematched time. | keyword |
+| checkpoint.layer_name | Layer name. | keyword |
+| checkpoint.layer_uuid | Layer UUID. | keyword |
+| checkpoint.limit_applied | Indicates whether the session was actually date limited. | integer |
+| checkpoint.limit_requested | Indicates whether data limit was requested for the session. | integer |
+| checkpoint.link_probing_status_update | IP address response status. | keyword |
+| checkpoint.links_num | Number of links in the mail. | integer |
+| checkpoint.log_delay | Time left before deleting template. | integer |
+| checkpoint.log_id | Unique identity for logs. | integer |
+| checkpoint.logid | System messages | keyword |
+| checkpoint.long_desc | More information on the process (usually describing error reason in failure). | keyword |
+| checkpoint.machine | L2TP machine which triggered the log and the log refers to it. | keyword |
+| checkpoint.malware_family | Additional information on protection. | keyword |
+| checkpoint.match_fk | Rule number. | integer |
+| checkpoint.match_id | Private key of the rule | integer |
+| checkpoint.matched_file | Unique ID of the matched data type. | keyword |
+| checkpoint.matched_file_percentage | Fingerprint: match percentage of the traffic. | integer |
+| checkpoint.matched_file_text_segments | Fingerprint: number of text segments matched by this traffic. | integer |
+| checkpoint.media_type | Media used (audio, video, etc.) | keyword |
+| checkpoint.message | ISP link has failed. | keyword |
+| checkpoint.message_info | Used for information messages, for example:NAT connection has ended. | keyword |
+| checkpoint.message_size | Mail/post size. | integer |
+| checkpoint.method | HTTP method. | keyword |
+| checkpoint.methods | IPSEc methods. | keyword |
+| checkpoint.mime_from | Sender's address. | keyword |
+| checkpoint.mime_to | List of receiver address. | keyword |
+| checkpoint.mirror_and_decrypt_type | Information about decrypt and forward. Possible values: Mirror only, Decrypt and mirror, Partial mirroring (HTTPS inspection Bypass). | keyword |
+| checkpoint.mitre_collection | The adversary is trying to collect data of interest to achieve his goal. | keyword |
+| checkpoint.mitre_command_and_control | The adversary is trying to communicate with compromised systems in order to control them. | keyword |
+| checkpoint.mitre_credential_access | The adversary is trying to steal account names and passwords. | keyword |
+| checkpoint.mitre_defense_evasion | The adversary is trying to avoid being detected. | keyword |
+| checkpoint.mitre_discovery | The adversary is trying to expose information about your environment. | keyword |
+| checkpoint.mitre_execution | The adversary is trying to run malicious code. | keyword |
+| checkpoint.mitre_exfiltration | The adversary is trying to steal data. | keyword |
+| checkpoint.mitre_impact | The adversary is trying to manipulate, interrupt, or destroy your systems and data. | keyword |
+| checkpoint.mitre_initial_access | The adversary is trying to break into your network. | keyword |
+| checkpoint.mitre_lateral_movement | The adversary is trying to explore your environment. | keyword |
+| checkpoint.mitre_persistence | The adversary is trying to maintain his foothold. | keyword |
+| checkpoint.mitre_privilege_escalation | The adversary is trying to gain higher-level permissions. | keyword |
+| checkpoint.monitor_reason | Aggregated logs of monitored packets. | keyword |
+| checkpoint.msgid | Message ID. | keyword |
+| checkpoint.name | Application name. | keyword |
+| checkpoint.nat46 | NAT 46 status, in most cases "enabled". | keyword |
+| checkpoint.nat_addtnl_rulenum | When matching 2 automatic rules , second rule match will be shown otherwise field will be 0. | integer |
+| checkpoint.nat_exhausted_pool | 4-tuple of an exhausted pool. | keyword |
+| checkpoint.nat_rulenum | NAT rulebase first matched rule. | integer |
+| checkpoint.needs_browse_time | Browse time required for the connection. | integer |
+| checkpoint.next_hop_ip | Next hop IP address. | keyword |
+| checkpoint.next_scheduled_scan_date | Next scan scheduled time according to time object. | keyword |
+| checkpoint.number_of_errors | Number of files that were not scanned due to an error. | integer |
+| checkpoint.objecttable | Table of affected objects. | keyword |
+| checkpoint.objecttype | The type of the affected object. | keyword |
+| checkpoint.observable_comment | IOC observable signature description. | keyword |
+| checkpoint.observable_id | IOC observable signature id. | keyword |
+| checkpoint.observable_name | IOC observable signature name. | keyword |
+| checkpoint.operation | Operation made by Threat Extraction. | keyword |
+| checkpoint.operation_number | The operation nuber. | keyword |
+| checkpoint.origin_sic_name | Machine SIC. | keyword |
+| checkpoint.original_queue_id | Original postfix email queue id. | keyword |
+| checkpoint.outgoing_url | URL related to this log (for HTTP). | keyword |
+| checkpoint.packet_amount | Amount of packets dropped. | integer |
+| checkpoint.packet_capture_unique_id | Identifier of the packet capture files. | keyword |
+| checkpoint.parent_file_hash | Archive's hash in case of extracted files. | keyword |
+| checkpoint.parent_file_name | Archive's name in case of extracted files. | keyword |
+| checkpoint.parent_file_uid | Archive's UID in case of extracted files. | keyword |
+| checkpoint.parent_process_username | Owner username of the parent process of the process that triggered the attack. | keyword |
+| checkpoint.parent_rule | Parent rule number, in case of inline layer. | integer |
+| checkpoint.peer_gateway | Main IP of the peer Security Gateway. | ip |
+| checkpoint.peer_ip | IP address which the client connects to. | keyword |
+| checkpoint.peer_ip_probing_status_update | IP address response status. | keyword |
+| checkpoint.performance_impact | Protection performance impact. | integer |
+| checkpoint.policy_mgmt | Name of the Management Server that manages this Security Gateway. | keyword |
+| checkpoint.policy_name | Name of the last policy that this Security Gateway fetched. | keyword |
+| checkpoint.ports_usage | Percentage of allocated ports. | integer |
+| checkpoint.ppp | Authentication status. | keyword |
+| checkpoint.precise_error | HTTP parser error. | keyword |
+| checkpoint.process_username | Owner username of the process that triggered the attack. | keyword |
+| checkpoint.properties | Application categories. | keyword |
+| checkpoint.protection_id | Protection malware id. | keyword |
+| checkpoint.protection_name | Specific signature name of the attack. | keyword |
+| checkpoint.protection_type | Type of protection used to detect the attack. | keyword |
+| checkpoint.protocol | Protocol detected on the connection. | keyword |
+| checkpoint.proxy_machine_name | Machine name connected to proxy IP. | integer |
+| checkpoint.proxy_src_ip | Sender source IP (even when using proxy). | ip |
+| checkpoint.proxy_user_dn | User distinguished name connected to proxy IP. | keyword |
+| checkpoint.proxy_user_name | User name connected to proxy IP. | keyword |
+| checkpoint.query | DNS query. | keyword |
+| checkpoint.question_rdata | List of question records domains. | keyword |
+| checkpoint.referrer | Referrer HTTP request header, previous web page address. | keyword |
+| checkpoint.referrer_parent_uid | Log UUID of the referring application. | keyword |
+| checkpoint.referrer_self_uid | UUID of the current log. | keyword |
+| checkpoint.registered_ip-phones | Registered IP-Phones. | keyword |
+| checkpoint.reject_category | Authentication failure reason. | keyword |
+| checkpoint.reject_id | A reject ID that corresponds to the one presented in the Mobile Access error page. | keyword |
+| checkpoint.rematch_info | Information sent when old connections cannot be matched during policy installation. | keyword |
+| checkpoint.remediated_files | In case of an infection and a successful cleaning of that infection, this is a list of remediated files on the computer. | keyword |
+| checkpoint.reply_status | ICAP reply status code, e.g. 200 or 204. | integer |
+| checkpoint.risk | Risk level we got from the engine. | keyword |
+| checkpoint.rpc_prog | Log for new RPC state - prog values. | integer |
+| checkpoint.rule | Matched rule number. | integer |
+| checkpoint.rule_action | Action of the matched rule in the access policy. | keyword |
+| checkpoint.rulebase_id | Layer number. | integer |
+| checkpoint.scan_direction | Scan direction. | keyword |
+| checkpoint.scan_hosts_day | Number of unique hosts during the last day. | integer |
+| checkpoint.scan_hosts_hour | Number of unique hosts during the last hour. | integer |
+| checkpoint.scan_hosts_week | Number of unique hosts during the last week. | integer |
+| checkpoint.scan_id | Sequential number of scan. | keyword |
+| checkpoint.scan_mail | Number of emails that were scanned by "AB malicious activity" engine. | integer |
+| checkpoint.scan_results | "Infected"/description of a failure. | keyword |
+| checkpoint.scheme | Describes the scheme used for the log. | keyword |
+| checkpoint.scope | IP related to the attack. | keyword |
+| checkpoint.scrub_activity | The result of the extraction | keyword |
+| checkpoint.scrub_download_time | File download time from resource. | keyword |
+| checkpoint.scrub_time | Extraction process duration. | keyword |
+| checkpoint.scrub_total_time | Threat extraction total file handling time. | keyword |
+| checkpoint.scrubbed_content | Active content that was found. | keyword |
+| checkpoint.sctp_association_state | The bad state you were trying to update to. | keyword |
+| checkpoint.sctp_error | Error information, what caused sctp to fail on out_of_state. | keyword |
+| checkpoint.scv_message_info | Drop reason. | keyword |
+| checkpoint.scv_user | Username whose packets are dropped on SCV. | keyword |
+| checkpoint.securexl_message | Two options for a SecureXL message: 1. Missed accounting records after heavy load on logging system. 2. FW log message regarding a packet drop. | keyword |
+| checkpoint.session_id | Log uuid. | keyword |
+| checkpoint.session_uid | HTTP session-id. | keyword |
+| checkpoint.short_desc | Short description of the process that was executed. | keyword |
+| checkpoint.sig_id | Application's signature ID which how it was detected by. | keyword |
+| checkpoint.similar_communication | Network action found similar to the malicious file. | keyword |
+| checkpoint.similar_hashes | Hashes found similar to the malicious file. | keyword |
+| checkpoint.similar_strings | Strings found similar to the malicious file. | keyword |
+| checkpoint.similiar_iocs | Other IoCs similar to the ones found, related to the malicious file. | keyword |
+| checkpoint.sip_reason | Explains why 'source_ip' isn't allowed to redirect (handover). | keyword |
+| checkpoint.site_name | Site name. | keyword |
+| checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword |
+| checkpoint.source_object | Matched object name on source column. | keyword |
+| checkpoint.source_os | OS which generated the attack. | keyword |
+| checkpoint.special_properties | If this field is set to '1' the log will not be shown (in use for monitoring scan progress). | integer |
+| checkpoint.specific_data_type_name | Compound/Group scenario, data type that was matched. | keyword |
+| checkpoint.speed | Current scan speed. | integer |
+| checkpoint.spyware_name | Spyware name. | keyword |
+| checkpoint.spyware_type | Spyware type. | keyword |
+| checkpoint.src_country | Country name, derived from connection source IP address. | keyword |
+| checkpoint.src_phone_number | Source IP-Phone. | keyword |
+| checkpoint.src_user_dn | User distinguished name connected to source IP. | keyword |
+| checkpoint.src_user_name | User name connected to source IP | keyword |
+| checkpoint.srckeyid | Initiator Spi ID. | keyword |
+| checkpoint.status | Ok/Warning/Error. | keyword |
+| checkpoint.status_update | Last time log was updated. | keyword |
+| checkpoint.sub_policy_name | Layer name. | keyword |
+| checkpoint.sub_policy_uid | Layer uid. | keyword |
+| checkpoint.subscriber | Source IP before CGNAT. | ip |
+| checkpoint.summary | Summary message of a non-compliant DNS traffic drops or detects. | keyword |
+| checkpoint.suppressed_logs | Aggregated connections for five minutes on the same source, destination and port. | integer |
+| checkpoint.sync | Sync status and the reason (stable, at risk). | keyword |
+| checkpoint.sys_message | System messages | keyword |
+| checkpoint.tcp_end_reason | Reason for TCP connection closure. | keyword |
+| checkpoint.tcp_flags | TCP packet flags (SYN, ACK, etc.,). | keyword |
+| checkpoint.tcp_packet_out_of_state | State violation. | keyword |
+| checkpoint.tcp_state | Log reinting a tcp state change. | keyword |
+| checkpoint.te_verdict_determined_by | Emulators determined file verdict. | keyword |
+| checkpoint.ticket_id | Unique ID per file. | keyword |
+| checkpoint.tls_server_host_name | SNI/CN from encrypted TLS connection used by URLF for categorization. | keyword |
+| checkpoint.top_archive_file_name | In case of archive file: the file that was sent/received. | keyword |
+| checkpoint.total_attachments | The number of attachments in an email. | integer |
+| checkpoint.triggered_by | The name of the mechanism that triggered the Software Blade to enforce a protection. | keyword |
+| checkpoint.trusted_domain | In case of phishing event, the domain, which the attacker was impersonating. | keyword |
+| checkpoint.unique_detected_day | Detected virus for a specific host during the last day. | integer |
+| checkpoint.unique_detected_hour | Detected virus for a specific host during the last hour. | integer |
+| checkpoint.unique_detected_week | Detected virus for a specific host during the last week. | integer |
+| checkpoint.update_status | Status of database update | keyword |
+| checkpoint.url | Translated URL. | keyword |
+| checkpoint.user | Source user name. | keyword |
+| checkpoint.user_agent | String identifying requesting software user agent. | keyword |
+| checkpoint.vendor_list | The vendor name that provided the verdict for a malicious URL. | keyword |
+| checkpoint.verdict | TE engine verdict Possible values: Malicious/Benign/Error. | keyword |
+| checkpoint.via | Via header is added by proxies for tracking purposes to avoid sending reqests in loop. | keyword |
+| checkpoint.voip_attach_action_info | Attachment action Info. | keyword |
+| checkpoint.voip_attach_sz | Attachment size. | integer |
+| checkpoint.voip_call_dir | Call direction: in/out. | keyword |
+| checkpoint.voip_call_id | Call-ID. | keyword |
+| checkpoint.voip_call_state | Call state. Possible values: in/out. | keyword |
+| checkpoint.voip_call_term_time | Call termination time stamp. | keyword |
+| checkpoint.voip_config | Configuration. | keyword |
+| checkpoint.voip_duration | Call duration (seconds). | keyword |
+| checkpoint.voip_est_codec | Estimated codec. | keyword |
+| checkpoint.voip_exp | Expiration. | integer |
+| checkpoint.voip_from_user_type | Source IP-Phone type. | keyword |
+| checkpoint.voip_log_type | VoIP log types. Possible values: reject, call, registration. | keyword |
+| checkpoint.voip_media_codec | Estimated codec. | keyword |
+| checkpoint.voip_media_ipp | Media IP protocol. | keyword |
+| checkpoint.voip_media_port | Media int. | keyword |
+| checkpoint.voip_method | Registration request. | keyword |
+| checkpoint.voip_reason_info | Information. | keyword |
+| checkpoint.voip_reg_int | Registration port. | integer |
+| checkpoint.voip_reg_ipp | Registration IP protocol. | integer |
+| checkpoint.voip_reg_period | Registration period. | integer |
+| checkpoint.voip_reg_server | Registrar server IP address. | ip |
+| checkpoint.voip_reg_user_type | Registered IP-Phone type. | keyword |
+| checkpoint.voip_reject_reason | Reject reason. | keyword |
+| checkpoint.voip_to_user_type | Destination IP-Phone type. | keyword |
+| checkpoint.vpn_feature_name | L2TP /IKE / Link Selection. | keyword |
+| checkpoint.watermark | Reports whether watermark is added to the cleaned file. | keyword |
+| checkpoint.web_server_type | Web server detected in the HTTP response. | keyword |
+| checkpoint.word_list | Words matched by data type. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.service.name | Name of the service data is collected from. | keyword |
+| destination.user.email | User email address. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.type | The type of DNS event captured, query or answer. If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| email.bcc.address | The email address of BCC recipient | keyword |
+| email.cc.address | The email address of CC recipient | keyword |
+| email.delivery_timestamp | The date and time when the email message was received by the service or client. | date |
+| email.from.address | The email address of the sender, typically from the RFC 5322 `From:` header field. | keyword |
+| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. | keyword |
+| email.message_id | Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. | wildcard |
+| email.subject | A brief summary of the topic of the message. | keyword |
+| email.subject.text | Multi-field of `email.subject`. | match_only_text |
+| email.to.address | The email address of recipient | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
+| event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| file.type | File type (file, dir, or symlink). | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address of logs received over the network. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.parent.hash.md5 | MD5 hash. | keyword |
+| process.parent.name | Process name. Sometimes called program name or similar. | keyword |
+| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.description | The description of the rule generating the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.email | User email address. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.id | Unique identifier of the user. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+
diff --git a/packages/checkpoint/1.5.1/img/checkpoint-logo.svg b/packages/checkpoint/1.5.1/img/checkpoint-logo.svg
new file mode 100755
index 0000000000..aa73ccdd7f
--- /dev/null
+++ b/packages/checkpoint/1.5.1/img/checkpoint-logo.svg
@@ -0,0 +1,159 @@
+
+
diff --git a/packages/checkpoint/1.5.1/manifest.yml b/packages/checkpoint/1.5.1/manifest.yml
new file mode 100755
index 0000000000..6f13d1654a
--- /dev/null
+++ b/packages/checkpoint/1.5.1/manifest.yml
@@ -0,0 +1,109 @@
+name: checkpoint
+title: Check Point
+version: 1.5.1
+release: ga
+description: Collect logs from Check Point with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+ - src: /img/checkpoint-logo.svg
+ title: Check Point
+ size: 761x341
+ type: image/svg+xml
+policy_templates:
+ - name: checkpoint
+ title: Check Point logs
+ description: Collect logs from Check Point instances
+ inputs:
+ - type: logfile
+ title: "Collect Check Point firewall logs (input: logfile)"
+ description: "Collecting firewall logs from Check Point instances (input: logfile)"
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ - name: internal_zones
+ type: text
+ title: Internal Zones
+ multi: true
+ required: false
+ show_user: false
+ default:
+ - trust
+ - name: external_zones
+ type: text
+ title: External Zones
+ multi: true
+ required: false
+ show_user: false
+ default:
+ - untrust
+ - type: tcp
+ vars:
+ - name: syslog_host
+ type: text
+ title: Syslog Host
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: syslog_port
+ type: integer
+ title: Syslog Port
+ multi: false
+ required: true
+ show_user: true
+ default: 9001
+ - name: internal_zones
+ type: text
+ title: Internal Zones
+ multi: true
+ required: false
+ show_user: false
+ - name: external_zones
+ type: text
+ title: External Zones
+ multi: true
+ required: false
+ show_user: false
+ title: "Collect Check Point firewall logs (input: tcp)"
+ description: "Collecting firewall logs from Check Point instances (input: tcp)"
+ - type: udp
+ vars:
+ - name: syslog_host
+ type: text
+ title: Syslog Host
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: syslog_port
+ type: integer
+ title: Syslog Port
+ multi: false
+ required: true
+ show_user: true
+ default: 9001
+ - name: internal_zones
+ type: text
+ title: Internal Zones
+ multi: true
+ required: false
+ show_user: false
+ - name: external_zones
+ type: text
+ title: External Zones
+ multi: true
+ required: false
+ show_user: false
+ title: "Collect Check Point firewall logs (input: udp)"
+ description: "Collecting firewall logs from Check Point instances (input: udp)"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/cisco_asa/2.4.2/changelog.yml b/packages/cisco_asa/2.4.2/changelog.yml
new file mode 100755
index 0000000000..916ddeb3b1
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/changelog.yml
@@ -0,0 +1,110 @@
+# newer versions go on top
+- version: "2.4.2"
+ changes:
+ - description: Map syslog priority details according to ECS
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3549
+ - description: Extract syslog facility and severity codes from syslog priority
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3549
+- version: "2.4.1"
+ changes:
+ - description: Ensure invalid event.outcome does not get recorded in event
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3354
+- version: "2.4.0"
+ changes:
+ - description: Add TCP input with TLS support
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3312
+- version: "2.3.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2778
+- version: "2.2.2"
+ changes:
+ - description: Change visualizations to use event.code instead of cisco.asa.message_id.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3146
+- version: "2.2.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "2.2.0"
+ changes:
+ - description: Add community_id processor, update 805001, 304001, 106023 and 602304 message parsing. elastic/beats#26879
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2820
+ - description: Add user.name field to ASA Security negotiation log line. elastic/beats#26975
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2820
+ - description: Change event.outcome and event.type handling to be more ECS compliant. elastic/beats#29698
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2820
+- version: "2.1.0"
+ changes:
+ - description: Add parsing for event code 113029-113040
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2535
+- version: "2.0.1"
+ changes:
+ - description: Clarify configuration option documentation
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2649
+- version: "2.0.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2389
+- version: "1.3.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2236
+- version: "1.2.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1952
+- version: "1.2.1"
+ changes:
+ - description: Relax time parsing and capture group and session type in Cisco ASA module
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1891
+- version: "1.2.0"
+ changes:
+ - description: Add support for Cisco ASA SIP events
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1865
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1805
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1782
+- version: "1.0.1"
+ changes:
+ - description: Adding missing ECS fields
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1732
+- version: "1.0.0"
+ changes:
+ - description: Split Cisco ASA into its own package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1583
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..1190ec3f3c
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..169989f2d7
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,22 @@
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if tcp_options}}
+{{tcp_options}}
+{{/if}}
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..e01f113448
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,16 @@
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_asa/2.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f5412496e7
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,2124 @@
+---
+description: "Pipeline for Cisco ASA logs"
+processors:
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ #
+ # Parse the syslog header
+ #
+ # This populates the host.hostname, process.name, timestamp and other fields
+ # from the header and stores the message contents in _temp_.full_message.
+ - grok:
+ field: event.original
+ patterns:
+ - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}"
+ pattern_definitions:
+ SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?"
+ SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>"
+ # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424.
+ FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})"
+ ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?"
+ PROCESS: "(?:[^%\\s:\\[]+)"
+ SYSLOG_END: "(?:(:|\\s)\\s+)"
+ # exactly match the syntax for firepower management logs
+ PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})"
+ HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?"
+ - script:
+ lang: painless
+ source: |
+ if (ctx.log?.syslog?.priority != null) {
+ def severity = new HashMap();
+ severity['code'] = ctx.log.syslog.priority&0x7;
+ ctx.log.syslog['severity'] = severity;
+ def facility = new HashMap();
+ facility['code'] = ctx.log.syslog.priority>>3;
+ ctx.log.syslog['facility'] = facility;
+ }
+
+ #
+ # Parse FTD/ASA style message
+ #
+ # This parses the header of an EMBLEM-style message for FTD and ASA prefixes.
+ - grok:
+ field: _temp_.full_message
+ patterns:
+ - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}"
+ # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header.
+ - "%{GREEDYDATA:message}"
+ pattern_definitions:
+ FTD_SUFFIX: "[^0-9-]+"
+ # Before version 6.3, FTD used ASA prefix in syslog messages
+ FTD_PREFIX: "%{DATA}%(?:[A-Z]+)"
+
+ #
+ # Create missing fields when no %FTD label is present
+ #
+ # message_id is needed in order for some processors below to work.
+ - set:
+ field: _temp_.cisco.message_id
+ value: ""
+ if: "ctx?._temp_?.cisco?.message_id == null"
+
+ #
+ # set default event.severity to 7 (debug):
+ #
+ # This value is read from the EMBLEM header and won't be present if this is not
+ # an emblem message (firewalls can be configured to report other kinds of events)
+ - set:
+ field: event.severity
+ value: 7
+ if: "ctx?.event?.severity == null"
+
+ #
+ # Parse the date included in FTD logs
+ #
+ - date:
+ if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null"
+ field: "_temp_.raw_date"
+ target_field: "@timestamp"
+ formats:
+ - "ISO8601"
+ - "MMM d HH:mm:ss"
+ - "MMM dd HH:mm:ss"
+ - "EEE MMM d HH:mm:ss"
+ - "EEE MMM dd HH:mm:ss"
+ - "MMM d HH:mm:ss z"
+ - "MMM dd HH:mm:ss z"
+ - "EEE MMM d HH:mm:ss z"
+ - "EEE MMM dd HH:mm:ss z"
+ - "MMM d yyyy HH:mm:ss"
+ - "MMM dd yyyy HH:mm:ss"
+ - "EEE MMM d yyyy HH:mm:ss"
+ - "EEE MMM dd yyyy HH:mm:ss"
+ - "MMM d yyyy HH:mm:ss z"
+ - "MMM dd yyyy HH:mm:ss z"
+ - "EEE MMM d yyyy HH:mm:ss z"
+ - "EEE MMM dd yyyy HH:mm:ss z"
+ on_failure:
+ [
+ {
+ "append":
+ {
+ "field": "error.message",
+ "value": "{{ _ingest.on_failure_message }}",
+ },
+ },
+ ]
+ - date:
+ if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null"
+ timezone: "{{ event.timezone }}"
+ field: "_temp_.raw_date"
+ target_field: "@timestamp"
+ formats:
+ - "ISO8601"
+ - "MMM d HH:mm:ss"
+ - "MMM dd HH:mm:ss"
+ - "EEE MMM d HH:mm:ss"
+ - "EEE MMM dd HH:mm:ss"
+ - "MMM d HH:mm:ss z"
+ - "MMM dd HH:mm:ss z"
+ - "EEE MMM d HH:mm:ss z"
+ - "EEE MMM dd HH:mm:ss z"
+ - "MMM d yyyy HH:mm:ss"
+ - "MMM dd yyyy HH:mm:ss"
+ - "EEE MMM d yyyy HH:mm:ss"
+ - "EEE MMM dd yyyy HH:mm:ss"
+ - "MMM d yyyy HH:mm:ss z"
+ - "MMM dd yyyy HH:mm:ss z"
+ - "EEE MMM d yyyy HH:mm:ss z"
+ - "EEE MMM dd yyyy HH:mm:ss z"
+ on_failure:
+ [
+ {
+ "append":
+ {
+ "field": "error.message",
+ "value": "{{ _ingest.on_failure_message }}",
+ },
+ },
+ ]
+
+ #
+ # Set log.level
+ #
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 0"
+ value: unknown
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 1"
+ value: alert
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 2"
+ value: critical
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 3"
+ value: error
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 4"
+ value: warning
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 5"
+ value: notification
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 6"
+ value: informational
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 7"
+ value: debug
+
+ #
+ # Firewall messages
+ #
+ # This set of messages is shared between FTD and ASA.
+ - set:
+ if: 'ctx._temp_.cisco.message_id != ""'
+ field: "event.action"
+ value: "firewall-rule"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106001'"
+ field: "message"
+ description: "106001"
+ pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106002'"
+ field: "message"
+ description: "106002"
+ pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106006'"
+ field: "message"
+ description: "106006"
+ pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106007'"
+ field: "message"
+ description: "106007"
+ pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106010'"
+ field: "message"
+ description: "106010"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "message"
+ description: "106013"
+ pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "network.transport"
+ description: "106013"
+ value: icmp
+ - set:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "network.direction"
+ description: "106013"
+ value: inbound
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106014'"
+ field: "message"
+ description: "106014"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106015'"
+ field: "message"
+ description: "106015"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106016'"
+ field: "message"
+ pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106016"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106017'"
+ field: "message"
+ pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}"
+ description: "106017"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106018'"
+ field: "message"
+ pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+ description: "106018"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106020'"
+ field: "message"
+ pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}"
+ description: "106020"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106021'"
+ field: "message"
+ pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106021"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106022'"
+ field: "message"
+ pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106022"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106023'"
+ field: "message"
+ description: "106023"
+ patterns:
+ - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}"
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?)
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106027'"
+ field: "message"
+ description: "106027"
+ pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106100'"
+ field: "message"
+ description: "106100"
+ pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'"
+ field: "message"
+ description: "106103"
+ pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '111004'"
+ field: "message"
+ description: "111004"
+ pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}"
+ - set:
+ field: event.outcome
+ description: "111004"
+ value: "success"
+ if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'"
+ - set:
+ field: event.outcome
+ description: "111004"
+ value: "failure"
+ if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'"
+ - remove:
+ field: _temp_.cisco.cli_outcome
+ ignore_missing: true
+ - append:
+ field: event.type
+ description: "111004"
+ value: "change"
+ if: "ctx._temp_.cisco.message_id == '111004'"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '111009'"
+ description: "111009"
+ field: "message"
+ patterns:
+ - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '111010'"
+ field: "message"
+ description: "111010"
+ patterns:
+ - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '113019'"
+ field: "message"
+ description: "113019"
+ pattern: "Group = %{source.user.group.name}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{_temp_.cisco.session_type}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{event.reason}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '113040'"
+ field: "message"
+ description: "113040"
+ pattern: "Terminating the VPN connection attempt from %{source.user.group.name}. Reason: This connection is group locked to %{}."
+ - grok:
+ if: '["113029","113030","113031","113032","113033","113034","113035","113036","113038","113039"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "113029, 113030, 113031, 113032, 113033, 113034, 113035, 113036, 113038, 113039"
+ patterns:
+ - "Group %{NOTSPACE:source.user.group.name} User %{USER:source.user.name} IP %{IP:source.address}"
+ - grok:
+ if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "302013, 302015"
+ patterns:
+ - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA}
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?)
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '303002'"
+ field: "message"
+ description: "303002"
+ pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '305012'"
+ field: "message"
+ description: "305012"
+ patterns:
+ - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms}
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?)
+ DURATION: "%{INT}:%{MINUTE}:%{SECOND}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '302020'"
+ field: "message"
+ description: "302020"
+ patterns:
+ - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?"
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+ ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+ MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+ CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?)
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302022'"
+ field: "message"
+ description: "302022"
+ pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302023'"
+ field: "message"
+ description: "302023"
+ pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '304001'"
+ field: "message"
+ description: "304001"
+ patterns:
+ - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '304001'"
+ field: "event.outcome"
+ description: "304001"
+ value: allowed
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '304002'"
+ field: "message"
+ description: "304002"
+ pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '305011'"
+ field: "message"
+ description: "305011"
+ patterns:
+ - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port}
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313001'"
+ field: "message"
+ description: "313001"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313004'"
+ field: "message"
+ description: "313004"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313005'"
+ field: "message"
+ description: "313005"
+ pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313008'"
+ field: "message"
+ description: "313008"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313009'"
+ field: "message"
+ description: "313009"
+ pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '322001'"
+ field: "message"
+ description: "322001"
+ pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338001'"
+ field: "message"
+ description: "338001"
+ pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338001'"
+ field: "server.domain"
+ description: "338001"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338002'"
+ field: "message"
+ description: "338002"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338002'"
+ field: "server.domain"
+ description: "338002"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338003'"
+ field: "message"
+ description: "338003"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338004'"
+ field: "message"
+ description: "338004"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338005'"
+ field: "message"
+ description: "338005"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338005'"
+ field: "server.domain"
+ description: "338005"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338006'"
+ field: "message"
+ description: "338006"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338006'"
+ field: "server.domain"
+ description: "338006"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338007'"
+ field: "message"
+ description: "338007"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338008'"
+ field: "message"
+ description: "338008"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338101'"
+ field: "message"
+ description: "338101"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338101'"
+ field: "server.domain"
+ description: "338101"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338102'"
+ field: "message"
+ description: "338102"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338102'"
+ field: "server.domain"
+ description: "338102"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338103'"
+ field: "message"
+ description: "338103"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338104'"
+ field: "message"
+ description: "338104"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338201'"
+ field: "message"
+ description: "338201"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338201'"
+ field: "server.domain"
+ description: "338201"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338202'"
+ field: "message"
+ description: "338202"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338202'"
+ field: "server.domain"
+ description: "338202"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338203'"
+ field: "message"
+ description: "338203"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338203'"
+ field: "server.domain"
+ description: "338203"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338204'"
+ field: "message"
+ description: "338204"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338204'"
+ field: "server.domain"
+ description: "338204"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "message"
+ description: "338301"
+ pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "client.address"
+ description: "338301"
+ value: "{{destination.address}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "client.port"
+ description: "338301"
+ value: "{{destination.port}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "server.address"
+ description: "338301"
+ value: "{{source.address}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "server.port"
+ description: "338301"
+ value: "{{source.port}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "message"
+ description: "502103"
+ pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}"
+ - append:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "event.type"
+ description: "502103"
+ value:
+ - "group"
+ - "change"
+ - append:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "event.category"
+ description: "502103"
+ value: "iam"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '507003'"
+ field: "message"
+ description: "507003"
+ pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}"
+ - dissect:
+ if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "605004, 605005"
+ pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '609001'"
+ field: "message"
+ description: "609001"
+ pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '607001'"
+ field: "message"
+ description: "607001"
+ pattern: "Pre-allocate SIP %{_temp_.cisco.connection_type} secondary channel for %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} to %{_temp_.cisco.source_interface}:%{source.address} from %{_temp_.cisco.message} message"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '607001'"
+ description: "607001"
+ field: "_temp_.cisco.connection_type"
+ patterns:
+ - "%{CONNECTION}"
+ pattern_definitions:
+ TRANSPORTS: "(?:UDP|TCP)"
+ PROTOCOLS: "(?:RTP|RTCP)"
+ CONNECTION: "(?:%{TRANSPORTS:network.transport}|%{PROTOCOLS:network.protocol})"
+ ignore_failure: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '609002'"
+ field: "message"
+ description: "609002"
+ pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}"
+ - dissect:
+ if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "611102, 611101"
+ pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '710003'"
+ field: "message"
+ description: "710003"
+ pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '710005'"
+ field: "message"
+ description: "710005"
+ pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713049'"
+ field: "message"
+ description: "713049"
+ pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+ ignore_failure: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713049'"
+ field: "message"
+ description: "713049"
+ pattern: "Group = %{}, Username = %{user.name}, IP = %{source.address}, Security negotiation complete for User (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+ ignore_failure: true
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '716002'"
+ field: "message"
+ description: "716002"
+ patterns:
+ - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}."
+ - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}."
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '722051'"
+ field: "message"
+ description: "722051"
+ patterns:
+ - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}"
+ - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '733100'"
+ field: "message"
+ description: "733100"
+ patterns:
+ - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count}
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '734001'"
+ field: "message"
+ description: "734001"
+ pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '805001'"
+ field: "message"
+ description: "805001"
+ pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '805002'"
+ field: "message"
+ description: "805002"
+ pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+ - split:
+ field: "_temp_.cisco.dap_records"
+ separator: ",\\s+"
+ ignore_missing: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '434002'"
+ field: "message"
+ pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '434004'"
+ field: "message"
+ pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '110002'"
+ field: "message"
+ pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '419002'"
+ field: "message"
+ pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}"
+ - dissect:
+ if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}."
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '750002'"
+ field: "message"
+ pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713120'"
+ field: "message"
+ pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713202'"
+ field: "message"
+ pattern: "IP = %{source.address}, %{event.reason}. %{} packet."
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '750003'"
+ field: "message"
+ pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}"
+ - grok:
+ if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ patterns:
+ - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$"
+ # Handle ecs action outcome protocol
+ - set:
+ if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "unknown"
+ - set:
+ if: '["419002"].contains(ctx._temp_.cisco.message_id)'
+ field: "network.protocol"
+ value: "tcp"
+ - set:
+ if: '["110002"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "dropped"
+ - set:
+ if: '["713120"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "success"
+ - set:
+ if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "success"
+ - set:
+ if: '["710005"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "dropped"
+ - set:
+ if: '["713901", "713902", "713903", "713904", "713905"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "failure"
+ - set:
+ if: '["113039"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "client-vpn-connected"
+ - set:
+ if: '["113029","113030","113031","113032","113033","113034","113035","113036","113037","113038"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "client-vpn-error"
+ - set:
+ if: '["113040"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "client-vpn-disconnected"
+ - set:
+ if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "connection-started"
+ - set:
+ if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "error"
+ - append:
+ if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.type"
+ value: "error"
+
+ #
+ # Handle 302xxx messages (Flow expiration a.k.a "Teardown")
+ #
+ - set:
+ if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "flow-expiration"
+ description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002"
+ - grok:
+ field: "message"
+ if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)'
+ description: "302014, 302016, 302018, 302021, 302036, 302304, 302306"
+ patterns:
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator}
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason}
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes})
+ - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+ ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+ MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})"
+ DURATION: "%{INT}:%{MINUTE}:%{SECOND}"
+ CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?)
+
+ #
+ # Decode FTD's Security Event Syslog Messages
+ #
+ # 43000x messages are security event syslog messages specific to FTD.
+ # Format is a comma-separated sequence of key: value pairs.
+ #
+ # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value}
+ - kv:
+ if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "430001, 430002, 430003, 430004, 430005"
+ field_split: ",(?=[A-za-z1-9\\s]+:)"
+ value_split: ":"
+ target_field: "_temp_.orig_security"
+ trim_key: " "
+ trim_value: " "
+ ignore_failure: true
+
+ #
+ # Remove _temp_.full_message.
+ #
+ # The field has been used as temporary buffer while decoding. The full message
+ # is kept under event.original. Processors below can still add a message field, as some
+ # security events contain an explanatory Message field.
+ - remove:
+ field:
+ - message
+ - _temp_.full_message
+ ignore_missing: true
+
+ #
+ # Populate ECS fields from Security Events
+ #
+ # This script uses the key-value pairs from Security Events to populate
+ # the appropriate ECS fields.
+ #
+ # A single key can be mapped to multiple ECS fields, and more than one key can
+ # map to the same ECS field, which results in an array being created.
+ #
+ # This script performs an additional job:
+ #
+ # Before FTD version 6.3, the message_id was not included in Security Events.
+ # As this field encodes the kind of event (intrusion, connection, malware...)
+ # the script below will guess the right message_id from the keys present in
+ # the event.
+ #
+ # The reason for overloading this script with different behaviors is
+ # that this pipeline is already reaching the limit on script compilations.
+ #
+ #*******************************************************************************
+ # Code generated by go generate. DO NOT EDIT.
+ #*******************************************************************************
+ - script:
+ if: ctx._temp_?.orig_security != null
+ params:
+ ACPolicy:
+ target: ac_policy
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.rule_name]
+ AccessControlRuleAction:
+ target: access_control_rule_action
+ id: ["430002", "430003"]
+ ecs: [event.outcome]
+ AccessControlRuleName:
+ target: access_control_rule_name
+ id: ["430002", "430003"]
+ ecs: [_temp_.cisco.rule_name]
+ AccessControlRuleReason:
+ target: access_control_rule_reason
+ id: ["430002", "430003"]
+ ApplicationProtocol:
+ target: application_protocol
+ ecs: [network.protocol]
+ ArchiveDepth:
+ target: archive_depth
+ id: ["430004", "430005"]
+ ArchiveFileName:
+ target: archive_file_name
+ id: ["430004", "430005"]
+ ecs: [file.name]
+ ArchiveFileStatus:
+ target: archive_file_status
+ id: ["430004", "430005"]
+ ArchiveSHA256:
+ target: archive_sha256
+ id: ["430004", "430005"]
+ ecs: [file.hash.sha256]
+ Classification:
+ target: classification
+ id: ["430001"]
+ Client:
+ target: client
+ ecs: [network.application]
+ ClientVersion:
+ target: client_version
+ id: ["430002", "430003"]
+ ConnectionDuration:
+ target: connection_duration
+ id: ["430003"]
+ ecs: [event.duration]
+ DNS_Sinkhole:
+ target: dns_sinkhole
+ id: ["430002", "430003"]
+ DNS_TTL:
+ target: dns_ttl
+ id: ["430002", "430003"]
+ DNSQuery:
+ target: dns_query
+ id: ["430002", "430003"]
+ ecs: [dns.question.name]
+ DNSRecordType:
+ target: dns_record_type
+ id: ["430002", "430003"]
+ ecs: [dns.question.type]
+ DNSResponseType:
+ target: dns_response_type
+ id: ["430002", "430003"]
+ ecs: [dns.response_code]
+ DNSSICategory:
+ target: dnssi_category
+ id: ["430002", "430003"]
+ DstIP:
+ target: dst_ip
+ ecs: [destination.address]
+ DstPort:
+ target: dst_port
+ ecs: [destination.port]
+ EgressInterface:
+ target: egress_interface
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.destination_interface]
+ EgressZone:
+ target: egress_zone
+ id: ["430001", "430002", "430003"]
+ Endpoint Profile:
+ target: endpoint_profile
+ id: ["430002", "430003"]
+ FileAction:
+ target: file_action
+ id: ["430004", "430005"]
+ FileCount:
+ target: file_count
+ id: ["430002", "430003"]
+ FileDirection:
+ target: file_direction
+ id: ["430004", "430005"]
+ FileName:
+ target: file_name
+ id: ["430004", "430005"]
+ ecs: [file.name]
+ FilePolicy:
+ target: file_policy
+ id: ["430004", "430005"]
+ ecs: [_temp_.cisco.rule_name]
+ FileSHA256:
+ target: file_sha256
+ id: ["430004", "430005"]
+ ecs: [file.hash.sha256]
+ FileSandboxStatus:
+ target: file_sandbox_status
+ id: ["430004", "430005"]
+ FileSize:
+ target: file_size
+ id: ["430004", "430005"]
+ ecs: [file.size]
+ FileStorageStatus:
+ target: file_storage_status
+ id: ["430004", "430005"]
+ FileType:
+ target: file_type
+ id: ["430004", "430005"]
+ FirstPacketSecond:
+ target: first_packet_second
+ id: ["430004", "430005"]
+ ecs: [event.start]
+ GID:
+ target: gid
+ id: ["430001"]
+ ecs: [service.id]
+ HTTPReferer:
+ target: http_referer
+ id: ["430002", "430003"]
+ ecs: [http.request.referrer]
+ HTTPResponse:
+ target: http_response
+ id: ["430001", "430002", "430003"]
+ ecs: [http.response.status_code]
+ ICMPCode:
+ target: icmp_code
+ id: ["430001", "430002", "430003"]
+ ICMPType:
+ target: icmp_type
+ id: ["430001", "430002", "430003"]
+ IPReputationSICategory:
+ target: ip_reputation_si_category
+ id: ["430002", "430003"]
+ IPSCount:
+ target: ips_count
+ id: ["430002", "430003"]
+ IngressInterface:
+ target: ingress_interface
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.source_interface]
+ IngressZone:
+ target: ingress_zone
+ id: ["430001", "430002", "430003"]
+ InitiatorBytes:
+ target: initiator_bytes
+ id: ["430003"]
+ ecs: [source.bytes]
+ InitiatorPackets:
+ target: initiator_packets
+ id: ["430003"]
+ ecs: [source.packets]
+ InlineResult:
+ target: inline_result
+ id: ["430001"]
+ ecs: [event.outcome]
+ IntrusionPolicy:
+ target: intrusion_policy
+ id: ["430001"]
+ ecs: [_temp_.cisco.rule_name]
+ MPLS_Label:
+ target: mpls_label
+ id: ["430001"]
+ Message:
+ target: message
+ id: ["430001"]
+ ecs: [message]
+ NAPPolicy:
+ target: nap_policy
+ id: ["430001", "430002", "430003"]
+ NetBIOSDomain:
+ target: net_bios_domain
+ id: ["430002", "430003"]
+ ecs: [host.hostname]
+ NumIOC:
+ target: num_ioc
+ id: ["430001"]
+ Prefilter Policy:
+ target: prefilter_policy
+ id: ["430002", "430003"]
+ Priority:
+ target: priority
+ id: ["430001"]
+ Protocol:
+ target: protocol
+ ecs: [network.transport]
+ ReferencedHost:
+ target: referenced_host
+ id: ["430002", "430003"]
+ ecs: [url.domain]
+ ResponderBytes:
+ target: responder_bytes
+ id: ["430003"]
+ ecs: [destination.bytes]
+ ResponderPackets:
+ target: responder_packets
+ id: ["430003"]
+ ecs: [destination.packets]
+ Revision:
+ target: revision
+ id: ["430001"]
+ SHA_Disposition:
+ target: sha_disposition
+ id: ["430004", "430005"]
+ SID:
+ target: sid
+ id: ["430001"]
+ SSLActualAction:
+ target: ssl_actual_action
+ ecs: [event.outcome]
+ SSLCertificate:
+ target: ssl_certificate
+ id: ["430002", "430003", "430004", "430005"]
+ SSLExpectedAction:
+ target: ssl_expected_action
+ id: ["430002", "430003"]
+ SSLFlowStatus:
+ target: ssl_flow_status
+ id: ["430002", "430003", "430004", "430005"]
+ SSLPolicy:
+ target: ssl_policy
+ id: ["430002", "430003"]
+ SSLRuleName:
+ target: ssl_rule_name
+ id: ["430002", "430003"]
+ SSLServerCertStatus:
+ target: ssl_server_cert_status
+ id: ["430002", "430003"]
+ SSLServerName:
+ target: ssl_server_name
+ id: ["430002", "430003"]
+ ecs: [server.domain]
+ SSLSessionID:
+ target: ssl_session_id
+ id: ["430002", "430003"]
+ SSLTicketID:
+ target: ssl_ticket_id
+ id: ["430002", "430003"]
+ SSLURLCategory:
+ target: sslurl_category
+ id: ["430002", "430003"]
+ SSLVersion:
+ target: ssl_version
+ id: ["430002", "430003"]
+ SSSLCipherSuite:
+ target: sssl_cipher_suite
+ id: ["430002", "430003"]
+ SecIntMatchingIP:
+ target: sec_int_matching_ip
+ id: ["430002", "430003"]
+ Security Group:
+ target: security_group
+ id: ["430002", "430003"]
+ SperoDisposition:
+ target: spero_disposition
+ id: ["430004", "430005"]
+ SrcIP:
+ target: src_ip
+ ecs: [source.address]
+ SrcPort:
+ target: src_port
+ ecs: [source.port]
+ TCPFlags:
+ target: tcp_flags
+ id: ["430002", "430003"]
+ ThreatName:
+ target: threat_name
+ id: ["430005"]
+ ecs: [_temp_.cisco.threat_category]
+ ThreatScore:
+ target: threat_score
+ id: ["430005"]
+ ecs: [_temp_.cisco.threat_level]
+ Tunnel or Prefilter Rule:
+ target: tunnel_or_prefilter_rule
+ id: ["430002", "430003"]
+ URI:
+ target: uri
+ id: ["430004", "430005"]
+ ecs: [url.original]
+ URL:
+ target: url
+ id: ["430002", "430003"]
+ ecs: [url.original]
+ URLCategory:
+ target: url_category
+ id: ["430002", "430003"]
+ URLReputation:
+ target: url_reputation
+ id: ["430002", "430003"]
+ URLSICategory:
+ target: urlsi_category
+ id: ["430002", "430003"]
+ User:
+ target: user
+ ecs: [user.id, user.name]
+ UserAgent:
+ target: user_agent
+ id: ["430002", "430003"]
+ ecs: [user_agent.original]
+ VLAN_ID:
+ target: vlan_id
+ id: ["430001", "430002", "430003"]
+ WebApplication:
+ target: web_application
+ ecs: [network.application]
+ originalClientSrcIP:
+ target: original_client_src_ip
+ id: ["430002", "430003"]
+ ecs: [client.address]
+ lang: painless
+ source: |
+ boolean isEmpty(def value) {
+ return (value instanceof AbstractList? value.size() : value.length()) == 0;
+ }
+ def appendOrCreate(Map dest, String[] path, def value) {
+ for (int i=0; i new HashMap());
+ }
+ String key = path[path.length - 1];
+ def existing = dest.get(key);
+ return existing == null?
+ dest.put(key, value)
+ : existing instanceof AbstractList?
+ existing.add(value)
+ : dest.put(key, new ArrayList([existing, value]));
+ }
+ def msg = ctx._temp_.orig_security;
+ def counters = new HashMap();
+ def dest = new HashMap();
+ ctx._temp_.cisco['security'] = dest;
+ for (entry in msg.entrySet()) {
+ def param = params.get(entry.getKey());
+ if (param == null) {
+ continue;
+ }
+ param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) );
+ if (!isEmpty(entry.getValue())) {
+ param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) );
+ dest[param.target] = entry.getValue();
+ }
+ }
+ if (ctx._temp_.cisco.message_id != "") return;
+ def best;
+ for (entry in counters.entrySet()) {
+ if (best == null || best.getValue() < entry.getValue()) best = entry;
+ }
+ if (best != null) ctx._temp_.cisco.message_id = best.getKey();
+ #*******************************************************************************
+ # End of generated code.
+ #*******************************************************************************
+
+ #
+ # Normalize ECS field values
+ #
+ - script:
+ lang: painless
+ params:
+ "ctx._temp_.cisco.message_id":
+ target: event.action
+ map:
+ "430001": intrusion-detected
+ "430002": connection-started
+ "430003": connection-finished
+ "430004": file-detected
+ "430005": malware-detected
+ "dns.question.type":
+ map:
+ "a host address": A
+ "ip6 address": AAAA
+ "text strings": TXT
+ "a domain name pointer": PTR
+ "an authoritative name server": NS
+ "the canonical name for an alias": CNAME
+ "marks the start of a zone of authority": SOA
+ "mail exchange": MX
+ "server selection": SRV
+ "dns.response_code":
+ map:
+ "non-existent domain": NXDOMAIN
+ "server failure": SERVFAIL
+ "query refused": REFUSED
+ "no error": NOERROR
+ source: |
+ def getField(Map src, String[] path) {
+ for (int i=0; i new HashMap());
+ }
+ dest[path[path.length-1]] = value;
+ }
+ for (entry in params.entrySet()) {
+ def srcField = entry.getKey();
+ def param = entry.getValue();
+ String oldVal = getField(ctx, srcField.splitOnToken('.'));
+ if (oldVal == null) continue;
+ def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null);
+ if (newVal != null) {
+ def dstField = param.getOrDefault('target', srcField);
+ setField(ctx, dstField.splitOnToken('.'), newVal);
+ }
+ }
+ - set:
+ if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null"
+ field: dns.response_code
+ value: NOERROR
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430001"'
+ field: event.action
+ value: intrusion-detected
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430002"'
+ field: event.action
+ value: connection-started
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430003"'
+ field: event.action
+ value: connection-finished
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430004"'
+ field: event.action
+ value: file-detected
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430005"'
+ field: event.action
+ value: malware-detected
+
+ #
+ # Handle event.duration
+ #
+ # It can be set from ConnectionDuration FTD field above. This field holds
+ # seconds as a string. Copy it to _temp_.duration_hms so that the following
+ # processor converts it to the right value and populates start and end.
+ - set:
+ field: "_temp_.duration_hms"
+ value: "{{event.duration}}"
+ ignore_empty_value: true
+
+ #
+ # Process the flow duration "hh:mm:ss" present in some messages
+ # This will fill event.start, event.end and event.duration
+ #
+ - script:
+ lang: painless
+ if: "ctx?._temp_?.duration_hms != null"
+ source: >
+ long parse_hms(String s) {
+ long cur = 0, total = 0;
+ for (char c: s.toCharArray()) {
+ if (c >= (char)'0' && c <= (char)'9') {
+ cur = (cur*10) + (long)c - (char)'0';
+ } else if (c == (char)':') {
+ total = (total + cur) * 60;
+ cur = 0;
+ } else if (c != (char)'h' && c == (char)'m' && c == (char)'s') {
+ return 0;
+ }
+ }
+ return total + cur;
+ }
+ if (ctx?.event == null) {
+ ctx['event'] = new HashMap();
+ }
+ String end = ctx['@timestamp'];
+ ctx.event['end'] = end;
+ long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L;
+ ctx.event['duration'] = nanos;
+ ctx.event['start'] = ZonedDateTime.ofInstant(
+ Instant.parse(end).minusNanos(nanos),
+ ZoneOffset.UTC);
+ #
+ # Parse Source/Dest Username/Domain
+ #
+ - set:
+ field: source.user.name
+ value: "{{{ _temp_.cisco.source_username }}}"
+ if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null'
+ - set:
+ field: destination.user.name
+ value: "{{{ _temp_.cisco.destination_username }}}"
+ if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null'
+ - grok:
+ field: "source.user.name"
+ if: 'ctx?.source?.user?.name != null'
+ ignore_failure: true
+ patterns:
+ - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name}
+ pattern_definitions:
+ CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?"
+ CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)?
+ - grok:
+ field: "destination.user.name"
+ if: 'ctx?.destination?.user?.name != null'
+ ignore_failure: true
+ patterns:
+ - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name}
+ pattern_definitions:
+ CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?"
+ CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)?
+ #
+ # Normalize protocol names
+ #
+ - lowercase:
+ field: "network.transport"
+ ignore_failure: true
+ - lowercase:
+ field: "network.protocol"
+ ignore_failure: true
+ - lowercase:
+ field: "network.application"
+ ignore_failure: true
+ - lowercase:
+ field: "file.type"
+ ignore_failure: true
+ - lowercase:
+ field: "network.direction"
+ ignore_failure: true
+ - lowercase:
+ field: "network.type"
+ ignore_failure: true
+ #
+ # Populate network.iana_number from network.transport. Also does reverse
+ # mapping in case network.transport contains the iana_number.
+ #
+ - script:
+ if: "ctx?.network?.transport != null"
+ lang: painless
+ params:
+ icmp: 1
+ igmp: 2
+ ipv4: 4
+ tcp: 6
+ egp: 8
+ igp: 9
+ pup: 12
+ udp: 17
+ rdp: 27
+ irtp: 28
+ dccp: 33
+ idpr: 35
+ ipv6: 41
+ ipv6-route: 43
+ ipv6-frag: 44
+ rsvp: 46
+ gre: 47
+ esp: 50
+ ipv6-icmp: 58
+ ipv6-nonxt: 59
+ ipv6-opts: 60
+ source: >
+ def net = ctx.network;
+ def iana = params[net.transport];
+ if (iana != null) {
+ net['iana_number'] = iana;
+ return;
+ }
+ def reverse = new HashMap();
+ def[] arr = new def[] { null };
+ for (entry in params.entrySet()) {
+ arr[0] = entry.getValue();
+ reverse.put(String.format("%d", arr), entry.getKey());
+ }
+ def trans = reverse[net.transport];
+ if (trans != null) {
+ net['iana_number'] = net.transport;
+ net['transport'] = trans;
+ }
+ #
+ # Normalize event.outcome
+ #
+ - lowercase:
+ field: "event.outcome"
+ ignore_missing: true
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "est-allowed"'
+ value: "allowed"
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "permitted"'
+ value: "allowed"
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "allow"'
+ value: allowed
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "deny"'
+ value: denied
+ - set:
+ field: "network.transport"
+ if: 'ctx.network?.transport == "icmpv6"'
+ value: "ipv6-icmp"
+ #
+ # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string
+ #
+ - convert:
+ field: source.port
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: destination.port
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: source.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: destination.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: network.bytes
+ type: long
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: source.packets
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: destination.packets
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: _temp_.cisco.mapped_source_port
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: _temp_.cisco.mapped_destination_port
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: _temp_.cisco.icmp_code
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: _temp_.cisco.icmp_type
+ type: integer
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: http.response.status_code
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: file.size
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: network.iana_number
+ type: string
+ ignore_failure: true
+ ignore_missing: true
+ - convert:
+ field: sip.to.uri.port
+ type: integer
+ ignore_failure: true
+ #
+ # Assign ECS .ip fields from .address is a valid IP address is found,
+ # otherwise set .domain field.
+ #
+ - grok:
+ field: source.address
+ patterns:
+ - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$"
+ ignore_failure: true
+ - grok:
+ field: destination.address
+ patterns:
+ - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$"
+ ignore_failure: true
+ - grok:
+ field: client.address
+ patterns:
+ - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$"
+ ignore_failure: true
+ - grok:
+ field: server.address
+ patterns:
+ - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$"
+ ignore_failure: true
+ #
+ # Geolocation for source and destination addresses
+ #
+ - geoip:
+ field: "source.ip"
+ target_field: "source.geo"
+ ignore_missing: true
+ - geoip:
+ field: "destination.ip"
+ target_field: "destination.geo"
+ ignore_missing: true
+ #
+ # IP Autonomous System (AS) Lookup
+ #
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ #
+ # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address.
+ #
+ - grok:
+ field: _temp_.natsrcip
+ patterns:
+ - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$"
+ ignore_failure: true
+ - grok:
+ field: _temp_.natdstip
+ patterns:
+ - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$"
+ ignore_failure: true
+ #
+ # NAT fields
+ #
+ # The firewall always populates mapped ip and port even if there was no NAT.
+ # This populates both nat.ip and nat.port only when some translation is done.
+ # Fills nat.ip and nat.port even when only the ip or port changed.
+ - set:
+ field: source.nat.ip
+ value: "{{_temp_.cisco.mapped_source_ip}}"
+ if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip"
+ ignore_empty_value: true
+ - convert:
+ field: source.nat.ip
+ type: ip
+ ignore_missing: true
+ - set:
+ field: source.nat.port
+ value: "{{_temp_.cisco.mapped_source_port}}"
+ if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port"
+ ignore_empty_value: true
+ - convert:
+ field: source.nat.port
+ type: long
+ ignore_missing: true
+ - set:
+ field: destination.nat.ip
+ value: "{{_temp_.cisco.mapped_destination_ip}}"
+ if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip"
+ ignore_empty_value: true
+ - convert:
+ field: destination.nat.ip
+ type: ip
+ ignore_missing: true
+ - set:
+ field: destination.nat.port
+ value: "{{_temp_.cisco.mapped_destination_port}}"
+ if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port"
+ ignore_empty_value: true
+ - convert:
+ field: destination.nat.port
+ type: long
+ ignore_missing: true
+ #
+ # Zone-based Network Directionality
+ #
+ # If external and internal zones are specified and our ingress/egress zones are
+ # populated, then we can classify traffic directionality based off of our defined
+ # zones rather than the logs.
+ - set:
+ field: network.direction
+ value: inbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ - set:
+ field: network.direction
+ value: outbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: internal
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: external
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: unknown
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ (
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ ) ||
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ )
+ )
+
+ - set:
+ field: _temp_.url_domain
+ value: "{{url.domain}}"
+ ignore_failure: true
+ if: ctx?.url?.domain != null
+
+ - uri_parts:
+ field: url.original
+ ignore_failure: true
+ if: ctx?.url?.original != null
+ - append:
+ field: url.domain
+ value: "{{_temp_.url_domain}}"
+ ignore_failure: true
+ allow_duplicates: false
+ if: ctx?._temp_?.url_domain != null
+
+ #
+ # Populate ECS event.code
+ #
+ - rename:
+ field: _temp_.cisco.message_id
+ target_field: event.code
+ ignore_failure: true
+ - remove:
+ field:
+ - _temp_.cisco.message_id
+ - event.code
+ if: 'ctx._temp_.cisco.message_id == ""'
+ ignore_failure: true
+ #
+ # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd.
+ #
+ - rename:
+ field: _temp_.cisco
+ target_field: "cisco.asa"
+ ignore_failure: true
+ #
+ # Remove temporary fields
+ #
+ - remove:
+ field: _temp_
+ ignore_missing: true
+ #
+ # Rename some 7.x fields
+ #
+ - rename:
+ field: cisco.asa.list_id
+ target_field: cisco.asa.rule_name
+ ignore_missing: true
+ # ECS categorization
+ - script:
+ lang: painless
+ params:
+ connection-finished:
+ kind: event
+ category:
+ - network
+ type:
+ - end
+ connection-started:
+ kind: event
+ category:
+ - network
+ type:
+ - start
+ file-detected:
+ kind: alert
+ category:
+ - malware
+ type:
+ - info
+ firewall-rule:
+ kind: event
+ category:
+ - network
+ type: []
+ flow-expiration:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - end
+ intrusion-detected:
+ kind: alert
+ category:
+ - intrusion_detection
+ type:
+ - info
+ malware-detected:
+ kind: alert
+ category:
+ - malware
+ type:
+ - info
+ bypass:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - change
+ error:
+ kind: event
+ outcome: failure
+ category:
+ - network
+ type:
+ - error
+ deleted:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - deletion
+ - user
+ creation:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - creation
+ - user
+ client-vpn-connected:
+ kind: event
+ category:
+ - network
+ - session
+ type:
+ - connection
+ - start
+ client-vpn-error:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - error
+ - denied
+ client-vpn-disconnected:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - end
+ source: >-
+ if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) {
+ return;
+ }
+
+ ctx.event.kind = params.get(ctx.event.action).get('kind');
+ ctx.event.category = params.get(ctx.event.action).get('category').clone();
+ ctx.event.type = params.get(ctx.event.action).get('type').clone();
+ if (ctx?.event?.outcome == null || (!ctx.event.category.contains('network') && !ctx.event.category.contains('intrusion_detection'))) {
+ if (ctx?.event?.action == 'firewall-rule') {
+ ctx.event.type.add('info');
+ } else if (ctx?.event?.action.startsWith('connection-')) {
+ ctx.event.type.add('connection');
+ }
+ return;
+ }
+ if (ctx.event.outcome == 'allowed') {
+ ctx.event.outcome = 'success';
+ ctx.event.type.add('connection');
+ ctx.event.type.add('allowed');
+ } else if (ctx.event.outcome == 'denied' || ctx.event.outcome == 'block') {
+ ctx.event.outcome = 'success';
+ ctx.event.type.add('connection');
+ ctx.event.type.add('denied');
+ } else if (ctx.event.outcome == 'dropped') {
+ ctx.event.outcome = 'failure';
+ ctx.event.type.add('connection');
+ ctx.event.type.add('denied');
+ } else if (ctx?.event?.action == 'firewall-rule') {
+ ctx.event.type.add('info');
+ } else if (ctx?.event?.action.startsWith('connection-')) {
+ ctx.event.type.add('connection');
+ }
+ if (ctx.event.outcome == 'monitored') {
+ ctx.event.category.add('intrusion_detection');
+ ctx.event.outcome = 'success';
+ }
+
+ - set:
+ description: copy destination.user.name to user.name if it is not set
+ field: user.name
+ value: "{{destination.user.name}}"
+ ignore_empty_value: true
+ if: ctx?.user?.name == null
+
+ # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname.
+ - set:
+ field: observer.hostname
+ value: "{{ host.hostname }}"
+ ignore_empty_value: true
+ - set:
+ field: observer.vendor
+ value: "Cisco"
+ ignore_empty_value: true
+ - set:
+ field: observer.type
+ value: "firewall"
+ ignore_empty_value: true
+ - set:
+ field: observer.product
+ value: "asa"
+ ignore_empty_value: true
+ - set:
+ field: observer.egress.interface.name
+ value: "{{ cisco.asa.destination_interface }}"
+ ignore_empty_value: true
+ - set:
+ field: observer.ingress.interface.name
+ value: "{{ cisco.asa.source_interface }}"
+ ignore_empty_value: true
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ if: "ctx?.source?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{source.nat.ip}}"
+ if: "ctx?.source?.nat?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ if: "ctx?.destination?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{destination.nat.ip}}"
+ if: "ctx?.destination?.nat?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{{user.name}}}"
+ if: ctx?.user?.name != null && ctx?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{server.user.name}}"
+ if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{{source.user.name}}}"
+ if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{{destination.user.name}}}"
+ if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.hash
+ value: "{{file.hash.sha256}}"
+ if: "ctx?.file?.hash?.sha256 != null"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{host.hostname}}"
+ if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{observer.hostname}}"
+ if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{destination.domain}}"
+ if: ctx.destination?.domain != null && ctx.destination?.domain != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{source.domain}}"
+ if: ctx.source?.domain != null && ctx.source?.domain != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{source.user.domain}}"
+ if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{destination.user.domain}}"
+ if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != ''
+ allow_duplicates: false
+ - script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - community_id:
+ ignore_missing: true
+ ignore_failure: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ # Copy any fields under _temp_.cisco to its final destination. Those can help
+ # with diagnosing the failure.
+ - rename:
+ field: _temp_.cisco
+ target_field: "cisco.asa"
+ ignore_failure: true
+ # Remove _temp_ to avoid adding a lot of unnecessary fields to the index.
+ - remove:
+ field: _temp_
+ ignore_missing: true
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/fields/agent.yml b/packages/cisco_asa/2.4.2/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..d38a70bd6b
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/fields/agent.yml
@@ -0,0 +1,207 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.source.address
+ type: keyword
+ description: Source address from which the log event was read / sent from.
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/2.4.2/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..efbed64fad
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: cisco_asa
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: cisco_asa.log
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/fields/ecs.yml b/packages/cisco_asa/2.4.2/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..2954b25d91
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/fields/ecs.yml
@@ -0,0 +1,517 @@
+- description: |-
+ Date/time when the event originated.
+ This is the date/time extracted from the event, typically representing when the event was generated by the source.
+ If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+ Required field for all events.
+ name: '@timestamp'
+ type: date
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: client.user.name
+ type: keyword
+- description: |-
+ Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: destination.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: Bytes sent from the destination to the source.
+ name: destination.bytes
+ type: long
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.ip
+ type: ip
+- description: |-
+ Port the source session is translated to by NAT Device.
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.port
+ type: long
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: destination.user.domain
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.user.name
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Identification code for this event, if one exists.
+ Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+ name: event.code
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Duration of the event in nanoseconds.
+ If event.start and event.end are known this value should be the difference between the end and start time.
+ name: event.duration
+ type: long
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Source of the event.
+ Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+ name: event.provider
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+ Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+ name: event.timezone
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: file.path
+ type: keyword
+- description: |-
+ Custom key/value pairs.
+ Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+ Example: `docker` and `k8s` labels.
+ name: labels
+ type: object
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: |-
+ Original log level of the log event.
+ If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+ Some examples are `warn`, `err`, `i`, `informational`.
+ name: log.level
+ type: keyword
+- description: |-
+ Syslog numeric priority of the event, if available.
+ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+ name: log.syslog.priority
+ type: long
+- description: |-
+ The Syslog numeric facility of the log event, if available.
+ According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+ name: log.syslog.facility.code
+ type: long
+- description: |-
+ The Syslog numeric severity of the log event, if available.
+ If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+ name: log.syslog.severity.code
+ type: long
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ Total bytes transferred in both directions.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+ name: network.bytes
+ type: long
+- description: |-
+ A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+ Learn more at https://github.com/corelight/community-id-spec.
+ name: network.community_id
+ type: keyword
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+ name: network.inner
+ type: object
+- description: VLAN ID as reported by the observer.
+ name: network.inner.vlan.id
+ type: keyword
+- description: Optional VLAN name as reported by the observer.
+ name: network.inner.vlan.name
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+ The field value must be normalized to lowercase for querying.
+ name: network.protocol
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+ The field value must be normalized to lowercase for querying.
+ name: network.type
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.egress.interface.name
+ type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+ name: observer.egress.zone
+ type: keyword
+- description: Hostname of the observer.
+ name: observer.hostname
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.ingress.interface.name
+ type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+ name: observer.ingress.zone
+ type: keyword
+- description: IP addresses of the observer.
+ name: observer.ip
+ type: ip
+- description: |-
+ Custom name of the observer.
+ This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+ If no custom name is needed, the field can be left empty.
+ name: observer.name
+ type: keyword
+- description: The product name of the observer.
+ name: observer.product
+ type: keyword
+- description: |-
+ The type of the observer the data is coming from.
+ There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+ name: observer.type
+ type: keyword
+- description: Vendor name of the observer.
+ name: observer.vendor
+ type: keyword
+- description: Observer version.
+ name: observer.version
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: Process id.
+ name: process.pid
+ type: long
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ Translated ip of source based NAT sessions (e.g. internal client to internet)
+ Typically connections traversing load balancers, firewalls, or routers.
+ name: source.nat.ip
+ type: ip
+- description: |-
+ Translated port of source based NAT sessions. (e.g. internal client to internet)
+ Typically used with load balancers, firewalls, or routers.
+ name: source.nat.port
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: source.user.domain
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.user.name
+ type: keyword
+- description: Name of the group.
+ name: source.user.group.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: url.domain
+ type: keyword
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: url.extension
+ type: keyword
+- description: |-
+ Portion of the url after the `#`, such as "top".
+ The `#` is not part of the fragment.
+ name: url.fragment
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.full
+ type: wildcard
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: Password of the request.
+ name: url.password
+ type: keyword
+- description: Path of the request, such as "/search".
+ name: url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: url.port
+ type: long
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: url.query
+ type: keyword
+- description: |-
+ The highest registered url domain, stripped of the subdomain.
+ For example, the registered domain for "foo.example.com" is "example.com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+ name: url.registered_domain
+ type: keyword
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: url.scheme
+ type: keyword
+- description: |-
+ The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+ For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+ name: url.subdomain
+ type: keyword
+- description: |-
+ The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+ name: url.top_level_domain
+ type: keyword
+- description: Username of the request.
+ name: url.username
+ type: keyword
+- description: User email address.
+ name: user.email
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: |-
+ Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: server.address
+ type: keyword
+- description: Port of the server.
+ name: server.port
+ type: long
+- description: IP address of the server (IPv4 or IPv6).
+ name: server.ip
+ type: ip
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: server.user.name
+ type: keyword
+- description: |-
+ The domain name of the client system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: client.domain
+ type: keyword
+- description: |-
+ Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: client.address
+ type: keyword
+- description: Port of the client.
+ name: client.port
+ type: long
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/fields/fields.yml b/packages/cisco_asa/2.4.2/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..a1e912f401
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/fields/fields.yml
@@ -0,0 +1,209 @@
+- name: cisco.asa
+ type: group
+ fields:
+ - name: message_id
+ type: keyword
+ description: >
+ The Cisco ASA message identifier.
+
+ - name: suffix
+ type: keyword
+ description: >
+ Optional suffix after %ASA identifier.
+
+ - name: source_interface
+ type: keyword
+ description: >
+ Source interface for the flow or event.
+
+ - name: destination_interface
+ type: keyword
+ description: >
+ Destination interface for the flow or event.
+
+ - name: rule_name
+ type: keyword
+ description: >
+ Name of the Access Control List rule that matched this event.
+
+ - name: source_username
+ type: keyword
+ description: >
+ Name of the user that is the source for this event.
+
+ - name: destination_username
+ type: keyword
+ description: >
+ Name of the user that is the destination for this event.
+
+ - name: mapped_source_ip
+ type: ip
+ description: >
+ The translated source IP address.
+
+ - name: mapped_source_port
+ type: long
+ description: >
+ The translated source port.
+
+ - name: mapped_destination_ip
+ type: ip
+ description: >
+ The translated destination IP address.
+
+ - name: mapped_destination_port
+ type: long
+ description: >
+ The translated destination port.
+
+ - name: threat_level
+ type: keyword
+ description: >
+ Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+
+ - name: threat_category
+ type: keyword
+ description: >
+ Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+
+ - name: connection_id
+ type: keyword
+ description: >
+ Unique identifier for a flow.
+
+ - name: icmp_type
+ type: short
+ description: >
+ ICMP type.
+
+ - name: icmp_code
+ type: short
+ description: >
+ ICMP code.
+
+ - name: connection_type
+ type: keyword
+ description: >
+ The VPN connection type
+
+ - name: session_type
+ type: keyword
+ default_field: false
+ description: >
+ Session type (for example, IPsec or UDP).
+
+ - name: dap_records
+ type: keyword
+ description: >
+ The assigned DAP records
+
+ - name: mapped_destination_host
+ type: keyword
+ - name: username
+ type: keyword
+ - name: mapped_source_host
+ type: keyword
+ - name: command_line_arguments
+ default_field: false
+ type: keyword
+ description: >
+ The command line arguments logged by the local audit log
+
+ - name: assigned_ip
+ default_field: false
+ type: ip
+ description: >
+ The IP address assigned to a VPN client successfully connecting
+
+ - name: privilege.old
+ default_field: false
+ type: keyword
+ description: >
+ When a users privilege is changed this is the old value
+
+ - name: privilege.new
+ default_field: false
+ type: keyword
+ description: >
+ When a users privilege is changed this is the new value
+
+ - name: burst.object
+ default_field: false
+ type: keyword
+ description: >
+ The related object for burst warnings
+
+ - name: burst.id
+ default_field: false
+ type: keyword
+ description: >
+ The related rate ID for burst warnings
+
+ - name: burst.current_rate
+ default_field: false
+ type: keyword
+ description: >
+ The current burst rate seen
+
+ - name: burst.configured_rate
+ default_field: false
+ type: keyword
+ description: >
+ The current configured burst rate
+
+ - name: burst.avg_rate
+ default_field: false
+ type: keyword
+ description: >
+ The current average burst rate seen
+
+ - name: burst.configured_avg_rate
+ default_field: false
+ type: keyword
+ description: >
+ The current configured average burst rate allowed
+
+ - name: burst.cumulative_count
+ default_field: false
+ type: keyword
+ description: >
+ The total count of burst rate hits since the object was created or cleared
+
+ - name: security
+ type: flattened
+ description: Cisco FTD security event fields.
+ - name: webvpn.group_name
+ type: keyword
+ default_field: false
+ description: >
+ The WebVPN group name the user belongs to
+
+ - name: termination_initiator
+ type: keyword
+ default_field: false
+ description: >
+ Interface name of the side that initiated the teardown
+
+ - name: tunnel_type
+ type: keyword
+ default_field: false
+ description: >
+ SA type (remote access or L2L)
+
+ - name: termination_user
+ default_field: false
+ type: keyword
+ description: >
+ AAA name of user requesting termination
+
+ - name: message
+ default_field: false
+ type: keyword
+ description: >-
+ The message associated with SIP and Skinny VoIP events
+- name: syslog.facility.code
+ type: long
+ description: Syslog numeric facility of the event.
+- name: syslog.priority
+ type: long
+ description: Syslog priority of the event.
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/manifest.yml b/packages/cisco_asa/2.4.2/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..152d8d7d7a
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/manifest.yml
@@ -0,0 +1,175 @@
+title: Cisco ASA logs
+type: logs
+streams:
+ - input: udp
+ title: Cisco ASA logs
+ description: Collect Cisco ASA logs
+ template_path: udp.yml.hbs
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-asa
+ - forwarded
+ - name: udp_host
+ type: text
+ title: Listen Address
+ description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces.
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: udp_port
+ type: integer
+ title: Listen Port
+ description: The UDP port number to listen on.
+ multi: false
+ required: true
+ show_user: true
+ default: 9001
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: tcp
+ title: Cisco ASA logs
+ description: Collect Cisco ASA logs
+ template_path: tcp.yml.hbs
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-asa
+ - forwarded
+ - name: tcp_host
+ type: text
+ title: Listen Address
+ description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces.
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: tcp_port
+ type: integer
+ title: Listen Port
+ description: The TCP port number to listen on.
+ multi: false
+ required: true
+ show_user: true
+ default: 9001
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - name: tcp_options
+ type: yaml
+ title: Custom TCP Options
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #max_connections: 1
+ #framing: delimitier
+ #line_delimiter: "\n"
+ description: Specify custom configuration options for the TCP input.
+ - input: logfile
+ enabled: false
+ title: Cisco ASA logs
+ description: Collect Cisco ASA logs from file
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - /var/log/cisco-asa.log
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-asa
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/cisco_asa/2.4.2/data_stream/log/sample_event.json b/packages/cisco_asa/2.4.2/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..fa30377de4
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/data_stream/log/sample_event.json
@@ -0,0 +1,107 @@
+{
+ "@timestamp": "2018-10-10T12:34:56.000Z",
+ "agent": {
+ "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0",
+ "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "cisco": {
+ "asa": {
+ "destination_interface": "outside",
+ "source_interface": "inside"
+ }
+ },
+ "data_stream": {
+ "dataset": "cisco_asa.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "192.168.98.44",
+ "ip": "192.168.98.44",
+ "port": 8256
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
+ "snapshot": false,
+ "version": "8.2.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "agent_id_status": "verified",
+ "category": [
+ "network"
+ ],
+ "code": "305011",
+ "dataset": "cisco_asa.log",
+ "ingested": "2022-06-21T10:34:19Z",
+ "kind": "event",
+ "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
+ "severity": 6,
+ "timezone": "+00:00",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "input": {
+ "type": "tcp"
+ },
+ "log": {
+ "level": "informational",
+ "source": {
+ "address": "192.168.208.4:52674"
+ }
+ },
+ "network": {
+ "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=",
+ "iana_number": "6",
+ "transport": "tcp"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "name": "outside"
+ }
+ },
+ "hostname": "localhost",
+ "ingress": {
+ "interface": {
+ "name": "inside"
+ }
+ },
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "process": {
+ "name": "CiscoASA",
+ "pid": 999
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "ip": [
+ "172.31.98.44",
+ "192.168.98.44"
+ ]
+ },
+ "source": {
+ "address": "172.31.98.44",
+ "ip": "172.31.98.44",
+ "port": 1772
+ },
+ "tags": [
+ "preserve_original_event",
+ "cisco-asa",
+ "forwarded"
+ ]
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/docs/README.md b/packages/cisco_asa/2.4.2/docs/README.md
new file mode 100755
index 0000000000..74a9619b68
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/docs/README.md
@@ -0,0 +1,332 @@
+# Cisco ASA Integration
+
+This integration is for Cisco ASA network device's logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco ASA firewall logs.
+
+## Logs
+
+### ASA
+
+The `log` dataset collects the Cisco ASA firewall logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+ "@timestamp": "2018-10-10T12:34:56.000Z",
+ "agent": {
+ "ephemeral_id": "90753735-64f6-4611-b88a-892365f67be0",
+ "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "cisco": {
+ "asa": {
+ "destination_interface": "outside",
+ "source_interface": "inside"
+ }
+ },
+ "data_stream": {
+ "dataset": "cisco_asa.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "192.168.98.44",
+ "ip": "192.168.98.44",
+ "port": 8256
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "c077f5c5-ca69-4197-9db5-7963794bdac3",
+ "snapshot": false,
+ "version": "8.2.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "agent_id_status": "verified",
+ "category": [
+ "network"
+ ],
+ "code": "305011",
+ "dataset": "cisco_asa.log",
+ "ingested": "2022-06-21T10:34:19Z",
+ "kind": "event",
+ "original": "Oct 10 2018 12:34:56 localhost CiscoASA[999]: %ASA-6-305011: Built dynamic TCP translation from inside:172.31.98.44/1772 to outside:192.168.98.44/8256",
+ "severity": 6,
+ "timezone": "+00:00",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "hostname": "localhost"
+ },
+ "input": {
+ "type": "tcp"
+ },
+ "log": {
+ "level": "informational",
+ "source": {
+ "address": "192.168.208.4:52674"
+ }
+ },
+ "network": {
+ "community_id": "1:5fapvb2/9FPSvoCspfD2WiW0NdQ=",
+ "iana_number": "6",
+ "transport": "tcp"
+ },
+ "observer": {
+ "egress": {
+ "interface": {
+ "name": "outside"
+ }
+ },
+ "hostname": "localhost",
+ "ingress": {
+ "interface": {
+ "name": "inside"
+ }
+ },
+ "product": "asa",
+ "type": "firewall",
+ "vendor": "Cisco"
+ },
+ "process": {
+ "name": "CiscoASA",
+ "pid": 999
+ },
+ "related": {
+ "hosts": [
+ "localhost"
+ ],
+ "ip": [
+ "172.31.98.44",
+ "192.168.98.44"
+ ]
+ },
+ "source": {
+ "address": "172.31.98.44",
+ "ip": "172.31.98.44",
+ "port": 1772
+ },
+ "tags": [
+ "preserve_original_event",
+ "cisco-asa",
+ "forwarded"
+ ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip |
+| cisco.asa.burst.avg_rate | The current average burst rate seen | keyword |
+| cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword |
+| cisco.asa.burst.configured_rate | The current configured burst rate | keyword |
+| cisco.asa.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword |
+| cisco.asa.burst.current_rate | The current burst rate seen | keyword |
+| cisco.asa.burst.id | The related rate ID for burst warnings | keyword |
+| cisco.asa.burst.object | The related object for burst warnings | keyword |
+| cisco.asa.command_line_arguments | The command line arguments logged by the local audit log | keyword |
+| cisco.asa.connection_id | Unique identifier for a flow. | keyword |
+| cisco.asa.connection_type | The VPN connection type | keyword |
+| cisco.asa.dap_records | The assigned DAP records | keyword |
+| cisco.asa.destination_interface | Destination interface for the flow or event. | keyword |
+| cisco.asa.destination_username | Name of the user that is the destination for this event. | keyword |
+| cisco.asa.icmp_code | ICMP code. | short |
+| cisco.asa.icmp_type | ICMP type. | short |
+| cisco.asa.mapped_destination_host | | keyword |
+| cisco.asa.mapped_destination_ip | The translated destination IP address. | ip |
+| cisco.asa.mapped_destination_port | The translated destination port. | long |
+| cisco.asa.mapped_source_host | | keyword |
+| cisco.asa.mapped_source_ip | The translated source IP address. | ip |
+| cisco.asa.mapped_source_port | The translated source port. | long |
+| cisco.asa.message | The message associated with SIP and Skinny VoIP events | keyword |
+| cisco.asa.message_id | The Cisco ASA message identifier. | keyword |
+| cisco.asa.privilege.new | When a users privilege is changed this is the new value | keyword |
+| cisco.asa.privilege.old | When a users privilege is changed this is the old value | keyword |
+| cisco.asa.rule_name | Name of the Access Control List rule that matched this event. | keyword |
+| cisco.asa.security | Cisco FTD security event fields. | flattened |
+| cisco.asa.session_type | Session type (for example, IPsec or UDP). | keyword |
+| cisco.asa.source_interface | Source interface for the flow or event. | keyword |
+| cisco.asa.source_username | Name of the user that is the source for this event. | keyword |
+| cisco.asa.suffix | Optional suffix after %ASA identifier. | keyword |
+| cisco.asa.termination_initiator | Interface name of the side that initiated the teardown | keyword |
+| cisco.asa.termination_user | AAA name of user requesting termination | keyword |
+| cisco.asa.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword |
+| cisco.asa.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword |
+| cisco.asa.tunnel_type | SA type (remote access or L2L) | keyword |
+| cisco.asa.username | | keyword |
+| cisco.asa.webvpn.group_name | The WebVPN group name the user belongs to | keyword |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.port | Port of the destination. | long |
+| destination.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type. | keyword |
+| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object |
+| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword |
+| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| server.user.name | Short name or login of the user. | keyword |
+| server.user.name.text | Multi-field of `server.user.name`. | match_only_text |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.port | Port of the source. | long |
+| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| source.user.group.name | Name of the group. | keyword |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| syslog.facility.code | Syslog numeric facility of the event. | long |
+| syslog.priority | Syslog priority of the event. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| url.username | Username of the request. | keyword |
+| user.email | User email address. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
diff --git a/packages/cisco_asa/2.4.2/img/cisco.svg b/packages/cisco_asa/2.4.2/img/cisco.svg
new file mode 100755
index 0000000000..20ebebf197
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/img/cisco.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/img/kibana-cisco-asa.png b/packages/cisco_asa/2.4.2/img/kibana-cisco-asa.png
new file mode 100755
index 0000000000..ad51be2204
Binary files /dev/null and b/packages/cisco_asa/2.4.2/img/kibana-cisco-asa.png differ
diff --git a/packages/cisco_asa/2.4.2/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..be56be76ce
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/dashboard/cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,53 @@
+{
+ "attributes": {
+ "description": "Sample dashboard for Cisco ASA Firewall devices",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"1\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\",\"title\":\"Destination Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"2\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"2\",\"panelRefName\":\"panel_1\",\"title\":\"Source Port and Transport\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"3\",\"panelRefName\":\"panel_2\",\"title\":\"ASA Firewall Events Over Time\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"4\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"4\",\"panelRefName\":\"panel_3\",\"title\":\"ASA Flows by Network Bytes\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"5\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"5\",\"panelRefName\":\"panel_4\",\"title\":\"Blocked by Source\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"8\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"8\",\"panelRefName\":\"panel_5\",\"title\":\"Top ACL by Blocked\",\"version\":\"7.0.0-SNAPSHOT\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":12,\"i\":\"9\",\"w\":48,\"x\":0,\"y\":30},\"panelIndex\":\"9\",\"panelRefName\":\"panel_6\",\"version\":\"7.0.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Cisco] ASA Firewall",
+ "version": 1
+ },
+ "id": "cisco_asa-a555b160-4987-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295",
+ "name": "panel_6",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..c4e9b835ce
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,29 @@
+{
+ "attributes": {
+ "columns": [
+ "_source"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log\"},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "All ASA Logs [Cisco]",
+ "version": 1
+ },
+ "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..827e718b96
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,29 @@
+{
+ "attributes": {
+ "columns": [
+ "_source"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"flow-expiration\\\"\"},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "ASA Firewall flows [Cisco]",
+ "version": 1
+ },
+ "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..ecea457cb0
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/search/cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,29 @@
+{
+ "attributes": {
+ "columns": [
+ "_source"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:cisco_asa.log and event.action:\\\"firewall-rule\\\"\"},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "ASA Firewall Events [Cisco]",
+ "version": 1
+ },
+ "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..3d47d84b87
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.outcome:\\\"deny\\\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "ASA Top ACL by Blocked [Cisco]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ACL ID\",\"field\":\"cisco.asa.rule_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Top ACL by Blocked [Cisco]\",\"type\":\"table\"}"
+ },
+ "id": "cisco_asa-08ef4d90-499b-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..6f81464b3a
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Destination Port and Transport [Cisco]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"destination.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Destination Port and Transport [Cisco]\",\"type\":\"pie\"}"
+ },
+ "id": "cisco_asa-118da960-4987-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..68171576d0
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Source Port and Transport [Cisco]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"network.transport\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"source.port\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Source Port and Transport [Cisco]\",\"type\":\"pie\"}"
+ },
+ "id": "cisco_asa-5d0322d0-4987-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..a39f27880f
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "ASA Flows by Network Bytes [Cisco]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Total bytes\",\"field\":\"network.bytes\"},\"schema\":\"metric\",\"type\":\"sum\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"3\",\"label\":\"Total bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total bytes\"},\"type\":\"value\"}]},\"title\":\"ASA Flows by Network Bytes [Cisco]\",\"type\":\"histogram\"}"
+ },
+ "id": "cisco_asa-80d0c1b0-498a-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-753406e0-4986-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..67b75fd248
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "ASA Events Over Time [Cisco]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now+1y\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"ASA Events Over Time [Cisco]\",\"type\":\"histogram\"}"
+ },
+ "id": "cisco_asa-a3b5ab10-4989-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..cab50f4d5c
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "ASA Firewall Blocked by Source [Cisco]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"source.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"ASA Firewall Blocked by Source [Cisco]\",\"type\":\"table\"}"
+ },
+ "id": "cisco_asa-d05cdf60-498b-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-96c6ff60-4986-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json
new file mode 100755
index 0000000000..0b55816042
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/kibana/visualization/cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top ASA Messages [Cisco]",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"ID\",\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Severity\",\"field\":\"log.level\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"concat\",\"customLabel\":\"Sample message\",\"field\":\"event.original\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"}],\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":true,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"title\":\"Top ASA Messages [Cisco]\",\"type\":\"table\"}"
+ },
+ "id": "cisco_asa-fd89b1e0-49a2-11e9-b8ce-ed898b5ef295",
+ "references": [
+ {
+ "id": "cisco_asa-14fce5e0-498f-11e9-b8ce-ed898b5ef295",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/cisco_asa/2.4.2/manifest.yml b/packages/cisco_asa/2.4.2/manifest.yml
new file mode 100755
index 0000000000..f0cc6e7c4f
--- /dev/null
+++ b/packages/cisco_asa/2.4.2/manifest.yml
@@ -0,0 +1,39 @@
+format_version: 1.0.0
+name: cisco_asa
+title: Cisco ASA
+version: 2.4.2
+license: basic
+description: Collect logs from Cisco ASA with Elastic Agent.
+type: integration
+categories:
+ - network
+ - security
+release: ga
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+screenshots:
+ - src: /img/kibana-cisco-asa.png
+ title: kibana cisco asa
+ size: 1800x1559
+ type: image/png
+icons:
+ - src: /img/cisco.svg
+ title: cisco
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: cisco_asa
+ title: Cisco ASA logs
+ description: Collect logs from Cisco ASA instances
+ inputs:
+ - type: tcp
+ title: Collect logs from Cisco ASA via TCP
+ description: Collecting logs from Cisco ASA via TCP
+ - type: udp
+ title: Collect logs from Cisco ASA via UDP
+ description: Collecting logs from Cisco ASA via UDP
+ - type: logfile
+ title: Collect logs from Cisco ASA via file
+ description: Collecting logs from Cisco ASA via file
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/cisco_ftd/2.2.2/changelog.yml b/packages/cisco_ftd/2.2.2/changelog.yml
new file mode 100755
index 0000000000..4c0b0e64ea
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/changelog.yml
@@ -0,0 +1,97 @@
+# newer versions go on top
+- version: "2.2.2"
+ changes:
+ - description: Map syslog priority details according to ECS
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3549
+ - description: Extract syslog facility and severity codes from syslog priority
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3549
+- version: "2.2.1"
+ changes:
+ - description: Remove invalid values from ECS fields
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3344
+- version: "2.2.0"
+ changes:
+ - description: Add TLS system test
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3339
+ - description: Add TCP input with TLS support
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3313
+- version: "2.1.1"
+ changes:
+ - description: Added link to Cisco's FTD documentation in readme
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2931
+- version: "2.1.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2778
+- version: "2.0.4"
+ changes:
+ - description: Set event.kind to alert only when sha_disposition is malware or custom
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3041
+- version: "2.0.3"
+ changes:
+ - description: Make fields agree with ECS
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3018
+- version: "2.0.2"
+ changes:
+ - description: Update observer to ftd and idps to better match this integration.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2551
+- version: "2.0.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "2.0.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2391
+- version: "1.2.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2258
+- version: "1.1.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1954
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1806
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1783
+- version: "1.0.1"
+ changes:
+ - description: Adding missing ECS fields
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1731
+- version: "1.0.0"
+ changes:
+ - description: Initial version to split Cisco FTD out from the general Cisco package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1586
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/stream.yml.hbs b/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/stream.yml.hbs
new file mode 100755
index 0000000000..28ea4aaa98
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/stream.yml.hbs
@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path i|}}
+ - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/tcp.yml.hbs b/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/tcp.yml.hbs
new file mode 100755
index 0000000000..8f3ae72293
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/tcp.yml.hbs
@@ -0,0 +1,22 @@
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if ssl}}
+ssl: {{ssl}}
+{{/if}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+{{#if tcp_options}}
+{{tcp_options}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/udp.yml.hbs b/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/udp.yml.hbs
new file mode 100755
index 0000000000..e129442a23
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/agent/stream/udp.yml.hbs
@@ -0,0 +1,16 @@
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_ftd/2.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..38be2543cb
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1988 @@
+---
+description: "Pipeline for Cisco FTD logs"
+processors:
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - set:
+ field: ecs.version
+ value: "8.2.0"
+ #
+ # Parse the syslog header
+ #
+ # This populates the host.hostname, process.name, timestamp and other fields
+ # from the header and stores the message contents in _temp_.full_message.
+ - grok:
+ field: event.original
+ patterns:
+ - "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}"
+ pattern_definitions:
+ SYSLOG_HEADER: "(?:%{SYSLOGFACILITY}\\s*)?(?:%{FTD_DATE:_temp_.raw_date}:?\\s+)?(?:%{PROCESS_HOST}|%{HOST_PROCESS})(?:{DATA})?%{SYSLOG_END}?"
+ SYSLOGFACILITY: "<%{NONNEGINT:log.syslog.priority:int}>"
+ # Beginning with version 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424.
+ FTD_DATE: "(?:%{TIMESTAMP_ISO8601}|%{ASA_DATE})"
+ ASA_DATE: "(?:%{DAY} )?%{MONTH} *%{MONTHDAY}(?: %{YEAR})? %{TIME}(?: %{TZ})?"
+ PROCESS: "(?:[^%\\s:\\[]+)"
+ SYSLOG_END: "(?:(:|\\s)\\s+)"
+ # exactly match the syntax for firepower management logs
+ PROCESS_HOST: "(?:%{PROCESS:process.name}:\\s%{SYSLOGHOST:host.name})"
+ HOST_PROCESS: "(?:%{SYSLOGHOST:host.hostname}:?\\s+)?(?:%{PROCESS:process.name}?(?:\\[%{POSINT:process.pid:long}\\])?)?"
+ - script:
+ lang: painless
+ source: |
+ if (ctx.log?.syslog?.priority != null) {
+ def severity = new HashMap();
+ severity['code'] = ctx.log.syslog.priority&0x7;
+ ctx.log.syslog['severity'] = severity;
+ def facility = new HashMap();
+ facility['code'] = ctx.log.syslog.priority>>3;
+ ctx.log.syslog['facility'] = facility;
+ }
+
+ #
+ # Parse FTD/ASA style message
+ #
+ # This parses the header of an EMBLEM-style message for FTD and ASA prefixes.
+ - grok:
+ field: _temp_.full_message
+ patterns:
+ - "%{FTD_PREFIX}-(?:%{FTD_SUFFIX:_temp_.cisco.suffix}-)?%{NONNEGINT:event.severity:int}-%{POSINT:_temp_.cisco.message_id}?:?\\s*%{GREEDYDATA:message}"
+ # Before version 6.3, messages for connection, security intelligence, and intrusion events didn't include an event type ID in the message header.
+ - "%{GREEDYDATA:message}"
+ pattern_definitions:
+ FTD_SUFFIX: "[^0-9-]+"
+ # Before version 6.3, FTD used ASA prefix in syslog messages
+ FTD_PREFIX: "%{DATA}%(?:[A-Z]+)"
+
+ #
+ # Create missing fields when no %FTD label is present
+ #
+ # message_id is needed in order for some processors below to work.
+ - set:
+ field: _temp_.cisco.message_id
+ value: ""
+ if: "ctx?._temp_?.cisco?.message_id == null"
+
+ #
+ # set default event.severity to 7 (debug):
+ #
+ # This value is read from the EMBLEM header and won't be present if this is not
+ # an emblem message (firewalls can be configured to report other kinds of events)
+ - set:
+ field: event.severity
+ value: 7
+ if: "ctx?.event?.severity == null"
+
+ #
+ # Parse the date included in FTD logs
+ #
+ - date:
+ if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null"
+ field: "_temp_.raw_date"
+ target_field: "@timestamp"
+ formats:
+ - "ISO8601"
+ - "MMM d HH:mm:ss"
+ - "MMM dd HH:mm:ss"
+ - "EEE MMM d HH:mm:ss"
+ - "EEE MMM dd HH:mm:ss"
+ - "MMM d HH:mm:ss z"
+ - "MMM dd HH:mm:ss z"
+ - "EEE MMM d HH:mm:ss z"
+ - "EEE MMM dd HH:mm:ss z"
+ - "MMM d yyyy HH:mm:ss"
+ - "MMM dd yyyy HH:mm:ss"
+ - "EEE MMM d yyyy HH:mm:ss"
+ - "EEE MMM dd yyyy HH:mm:ss"
+ - "MMM d yyyy HH:mm:ss z"
+ - "MMM dd yyyy HH:mm:ss z"
+ - "EEE MMM d yyyy HH:mm:ss z"
+ - "EEE MMM dd yyyy HH:mm:ss z"
+ on_failure:
+ [
+ {
+ "append":
+ {
+ "field": "error.message",
+ "value": "{{ _ingest.on_failure_message }}",
+ },
+ },
+ ]
+ - date:
+ if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null"
+ timezone: "{{ event.timezone }}"
+ field: "_temp_.raw_date"
+ target_field: "@timestamp"
+ formats:
+ - "ISO8601"
+ - "MMM d HH:mm:ss"
+ - "MMM dd HH:mm:ss"
+ - "EEE MMM d HH:mm:ss"
+ - "EEE MMM dd HH:mm:ss"
+ - "MMM d HH:mm:ss z"
+ - "MMM dd HH:mm:ss z"
+ - "EEE MMM d HH:mm:ss z"
+ - "EEE MMM dd HH:mm:ss z"
+ - "MMM d yyyy HH:mm:ss"
+ - "MMM dd yyyy HH:mm:ss"
+ - "EEE MMM d yyyy HH:mm:ss"
+ - "EEE MMM dd yyyy HH:mm:ss"
+ - "MMM d yyyy HH:mm:ss z"
+ - "MMM dd yyyy HH:mm:ss z"
+ - "EEE MMM d yyyy HH:mm:ss z"
+ - "EEE MMM dd yyyy HH:mm:ss z"
+ on_failure:
+ [
+ {
+ "append":
+ {
+ "field": "error.message",
+ "value": "{{ _ingest.on_failure_message }}",
+ },
+ },
+ ]
+
+ #
+ # Set log.level
+ #
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 0"
+ value: unknown
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 1"
+ value: alert
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 2"
+ value: critical
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 3"
+ value: error
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 4"
+ value: warning
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 5"
+ value: notification
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 6"
+ value: informational
+ - set:
+ field: "log.level"
+ if: "ctx.event.severity == 7"
+ value: debug
+
+ #
+ # Firewall messages
+ #
+ # This set of messages is shared between FTD and ASA.
+ - set:
+ if: 'ctx._temp_.cisco.message_id != ""'
+ field: "event.action"
+ value: "firewall-rule"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106001'"
+ field: "message"
+ description: "106001"
+ pattern: "%{network.direction} %{network.transport} connection %{event.outcome} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106002'"
+ field: "message"
+ description: "106002"
+ pattern: "%{network.transport} Connection %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106006'"
+ field: "message"
+ description: "106006"
+ pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106007'"
+ field: "message"
+ description: "106007"
+ pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106010'"
+ field: "message"
+ description: "106010"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "message"
+ description: "106013"
+ pattern: "Dropping echo request from %{source.address} to PAT address %{destination.address}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "network.transport"
+ description: "106013"
+ value: icmp
+ - set:
+ if: "ctx._temp_.cisco.message_id == '106013'"
+ field: "network.direction"
+ description: "106013"
+ value: inbound
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106014'"
+ field: "message"
+ description: "106014"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:(?[^ (]*)(%{GREEDYDATA})?"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106015'"
+ field: "message"
+ description: "106015"
+ patterns:
+ - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106016'"
+ field: "message"
+ pattern: "%{event.outcome} IP spoof from (%{source.address}) to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106016"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106017'"
+ field: "message"
+ pattern: "%{event.outcome} IP due to Land Attack from %{source.address} to %{destination.address}"
+ description: "106017"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106018'"
+ field: "message"
+ pattern: "%{network.transport} packet type %{_temp_.cisco.icmp_type} %{event.outcome} by %{network.direction} list %{_temp_.cisco.list_id} src %{source.address} dest %{destination.address}"
+ description: "106018"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106020'"
+ field: "message"
+ pattern: "%{event.outcome} IP teardrop fragment (size = %{}, offset = %{}) from %{source.address} to %{destination.address}"
+ description: "106020"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106021'"
+ field: "message"
+ pattern: "%{event.outcome} %{network.transport} reverse path check from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106021"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106022'"
+ field: "message"
+ pattern: "%{event.outcome} %{network.transport} connection spoof from %{source.address} to %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ description: "106022"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '106023'"
+ field: "message"
+ description: "106023"
+ patterns:
+ - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106027'"
+ field: "message"
+ description: "106027"
+ pattern: '%{} %{event.outcome} src %{source.address} dst %{destination.address} by access-group "%{_temp_.cisco.list_id}"'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106100'"
+ field: "message"
+ description: "106100"
+ pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'"
+ field: "message"
+ description: "106103"
+ pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '111004'"
+ field: "message"
+ description: "111004"
+ pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}"
+ - set:
+ field: event.outcome
+ description: "111004"
+ value: "success"
+ if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'"
+ - set:
+ field: event.outcome
+ description: "111004"
+ value: "failure"
+ if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'"
+ - remove:
+ field: _temp_.cisco.cli_outcome
+ ignore_missing: true
+ - append:
+ field: event.type
+ description: "111004"
+ value: "change"
+ if: "ctx._temp_.cisco.message_id == '111004'"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '111009'"
+ description: "111009"
+ field: "message"
+ patterns:
+ - "^%{NOTSPACE} '%{NOTSPACE:server.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '111010'"
+ field: "message"
+ description: "111010"
+ patterns:
+ - "User '%{NOTSPACE:server.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '113019'"
+ field: "message"
+ description: "113019"
+ pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}"
+ - grok:
+ if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "302013, 302015"
+ patterns:
+ - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '303002'"
+ field: "message"
+ description: "303002"
+ pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302012'"
+ field: "message"
+ description: "302012"
+ pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '302020'"
+ field: "message"
+ description: "302020"
+ patterns:
+ - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?"
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+ ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+ MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302022'"
+ field: "message"
+ description: "302022"
+ pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '302023'"
+ field: "message"
+ description: "302023"
+ pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '304001'"
+ field: "message"
+ description: "304001"
+ patterns:
+ - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '304001'"
+ field: "event.outcome"
+ description: "304001"
+ value: success
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '304002'"
+ field: "message"
+ description: "304002"
+ pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '305011'"
+ field: "message"
+ description: "305011"
+ patterns:
+ - Built %{NOTSPACE} %{NOTSPACE:network.transport} translation from %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\(%{NOTSPACE:source.user.name}\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port}
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313001'"
+ field: "message"
+ description: "313001"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313004'"
+ field: "message"
+ description: "313004"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, from%{}addr %{source.address} on interface %{_temp_.cisco.source_interface} to %{destination.address}: no matching session"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313005'"
+ field: "message"
+ description: "313005"
+ pattern: "No matching connection for %{network.transport} error message: %{} on %{_temp_.cisco.source_interface} interface.%{}riginal IP payload: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313008'"
+ field: "message"
+ description: "313008"
+ pattern: "%{event.outcome} %{network.transport} type=%{_temp_.cisco.icmp_type}, code=%{_temp_.cisco.icmp_code} from %{source.address} on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '313009'"
+ field: "message"
+ description: "313009"
+ pattern: "%{event.outcome} invalid %{network.transport} code %{_temp_.cisco.icmp_code}, for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '322001'"
+ field: "message"
+ description: "322001"
+ pattern: "%{event.outcome} MAC address %{source.mac}, possible spoof attempt on interface %{_temp_.cisco.source_interface}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338001'"
+ field: "message"
+ description: "338001"
+ pattern: "Dynamic filter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338001'"
+ field: "server.domain"
+ description: "338001"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338002'"
+ field: "message"
+ description: "338002"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338002'"
+ field: "server.domain"
+ description: "338002"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338003'"
+ field: "message"
+ description: "338003"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338004'"
+ field: "message"
+ description: "338004"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338005'"
+ field: "message"
+ description: "338005"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338005'"
+ field: "server.domain"
+ description: "338005"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338006'"
+ field: "message"
+ description: "338006"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338006'"
+ field: "server.domain"
+ description: "338006"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338007'"
+ field: "message"
+ description: "338007"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338008'"
+ field: "message"
+ description: "338008"
+ pattern: "Dynamic %{}ilter %{event.outcome} black%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338101'"
+ field: "message"
+ description: "338101"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338101'"
+ field: "server.domain"
+ description: "338101"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338102'"
+ field: "message"
+ description: "338102"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338102'"
+ field: "server.domain"
+ description: "338102"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338103'"
+ field: "message"
+ description: "338103"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338104'"
+ field: "message"
+ description: "338104"
+ pattern: "Dynamic %{}ilter %{event.outcome} white%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338201'"
+ field: "message"
+ description: "338201"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338201'"
+ field: "server.domain"
+ description: "338201"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338202'"
+ field: "message"
+ description: "338202"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338202'"
+ field: "server.domain"
+ description: "338202"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338203'"
+ field: "message"
+ description: "338203"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}source %{} resolved from %{_temp_.cisco.list_id} list: %{source.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338203'"
+ field: "server.domain"
+ description: "338203"
+ value: "{{source.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338204'"
+ field: "message"
+ description: "338204"
+ pattern: "Dynamic %{}ilter %{event.outcome} grey%{}d %{network.transport} traffic from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})%{}destination %{} resolved from %{_temp_.cisco.list_id} list: %{destination.domain}, threat-level: %{_temp_.cisco.threat_level}, category: %{_temp_.cisco.threat_category}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338204'"
+ field: "server.domain"
+ description: "338204"
+ value: "{{destination.domain}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "message"
+ description: "338301"
+ pattern: "Intercepted DNS reply for domain %{source.domain} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, matched %{_temp_.cisco.list_id}"
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "client.address"
+ description: "338301"
+ value: "{{destination.address}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "client.port"
+ description: "338301"
+ value: "{{destination.port}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "server.address"
+ description: "338301"
+ value: "{{source.address}}"
+ ignore_empty_value: true
+ - set:
+ if: "ctx._temp_.cisco.message_id == '338301'"
+ field: "server.port"
+ description: "338301"
+ value: "{{source.port}}"
+ ignore_empty_value: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "message"
+ description: "502103"
+ pattern: "User priv level changed: Uname: %{server.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}"
+ - append:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "event.type"
+ description: "502103"
+ value:
+ - "group"
+ - "change"
+ - append:
+ if: "ctx._temp_.cisco.message_id == '502103'"
+ field: "event.category"
+ description: "502103"
+ value: "iam"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '507003'"
+ field: "message"
+ description: "507003"
+ pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}"
+ - dissect:
+ if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "605004, 605005"
+ pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"'
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '609001'"
+ field: "message"
+ description: "609001"
+ pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '609002'"
+ field: "message"
+ description: "609002"
+ pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}"
+ - dissect:
+ if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "611102, 611101"
+ pattern: "User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{server.user.name}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '710003'"
+ field: "message"
+ description: "710003"
+ pattern: "%{network.transport} access %{event.outcome} by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '710005'"
+ field: "message"
+ description: "710005"
+ pattern: "%{network.transport} request %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713049'"
+ field: "message"
+ description: "713049"
+ pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}"
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '716002'"
+ field: "message"
+ description: "716002"
+ patterns:
+ - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> WebVPN session terminated: %{GREEDYDATA:event.reason}."
+ - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} WebVPN session terminated: %{GREEDYDATA:event.reason}."
+ - grok:
+ if: "ctx._temp_.cisco.message_id == '722051'"
+ field: "message"
+ description: "722051"
+ patterns:
+ - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}"
+ - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '733100'"
+ field: "message"
+ description: "733100"
+ pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '734001'"
+ field: "message"
+ description: "734001"
+ pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '805001'"
+ field: "message"
+ description: "805001"
+ pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '805002'"
+ field: "message"
+ description: "805002"
+ pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})"
+ - split:
+ field: "_temp_.cisco.dap_records"
+ separator: ",\\s+"
+ ignore_missing: true
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '434002'"
+ field: "message"
+ pattern: "SFR requested to %{event.action} %{network.protocol} packet from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '434004'"
+ field: "message"
+ pattern: "SFR requested ASA to %{event.action} further packet redirection and process %{network.protocol} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} locally"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '110002'"
+ field: "message"
+ pattern: "%{event.reason} for %{network.protocol} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{destination.address}/%{destination.port}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '419002'"
+ field: "message"
+ pattern: "%{event.reason}from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{+event.reason}"
+ - dissect:
+ if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}."
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '750002'"
+ field: "message"
+ pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason}"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713120'"
+ field: "message"
+ pattern: "Group = %{}, IP = %{source.address}, %{event.reason} (msgid=%{event.id})"
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '713202'"
+ field: "message"
+ pattern: "IP = %{source.address}, %{event.reason}. %{} packet."
+ - dissect:
+ if: "ctx._temp_.cisco.message_id == '750003'"
+ field: "message"
+ pattern: "Local:%{source.address}:%{source.port} Remote:%{destination.address}:%{destination.port} Username:%{user.name} %{event.reason} ERROR:%{+event.reason}"
+ - grok:
+ if: '["713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ patterns:
+ - "^(Group = %{IP}, )?(IP = %{IP:source.address}, )?%{GREEDYDATA:event.reason}$"
+ # Handle ecs action outcome protocol
+ - set:
+ if: '["434002", "434004"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "unknown"
+ - set:
+ if: '["419002"].contains(ctx._temp_.cisco.message_id)'
+ field: "network.protocol"
+ value: "tcp"
+ - set:
+ if: '["110002"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "failure"
+ - set:
+ if: '["713120"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "success"
+ - set:
+ if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "success"
+ - set:
+ if: '["713905", "713904", "713906", "713902", "713901", "710005"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.outcome"
+ value: "failure"
+ - set:
+ if: '["750002", "750003"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "connection-started"
+ - set:
+ if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "error"
+ - append:
+ if: '["750003", "713905", "713904", "713906", "713902", "713901"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.type"
+ value: "error"
+
+ #
+ # Handle 302xxx messages (Flow expiration a.k.a "Teardown")
+ #
+ - set:
+ if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)'
+ field: "event.action"
+ value: "flow-expiration"
+ description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002"
+ - grok:
+ field: "message"
+ if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)'
+ description: "302014, 302016, 302018, 302021, 302036, 302304, 302306"
+ patterns:
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator}
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\)
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason}
+ - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes})
+ - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?
+ pattern_definitions:
+ NOTCOLON: "[^:]*"
+ ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})"
+ ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})"
+ MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})"
+
+ #
+ # Decode FTD's Security Event Syslog Messages
+ #
+ # 43000x messages are security event syslog messages specific to FTD.
+ # Format is a comma-separated sequence of key: value pairs.
+ #
+ # The result of this decoding is saved as _temp_.orig_security.{Key}: {Value}
+ - kv:
+ if: '["430001", "430002", "430003", "430004", "430005", ""].contains(ctx._temp_.cisco.message_id)'
+ field: "message"
+ description: "430001, 430002, 430003, 430004, 430005"
+ field_split: ",(?=[A-za-z1-9\\s]+:)"
+ value_split: ":"
+ target_field: "_temp_.orig_security"
+ trim_key: " "
+ trim_value: " "
+ ignore_failure: true
+
+ #
+ # Remove _temp_.full_message.
+ #
+ # The field has been used as temporary buffer while decoding. The full message
+ # is kept under event.original. Processors below can still add a message field, as some
+ # security events contain an explanatory Message field.
+ - remove:
+ field:
+ - message
+ - _temp_.full_message
+ ignore_missing: true
+
+ #
+ # Populate ECS fields from Security Events
+ #
+ # This script uses the key-value pairs from Security Events to populate
+ # the appropriate ECS fields.
+ #
+ # A single key can be mapped to multiple ECS fields, and more than one key can
+ # map to the same ECS field, which results in an array being created.
+ #
+ # This script performs an additional job:
+ #
+ # Before FTD version 6.3, the message_id was not included in Security Events.
+ # As this field encodes the kind of event (intrusion, connection, malware...)
+ # the script below will guess the right message_id from the keys present in
+ # the event.
+ #
+ # The reason for overloading this script with different behaviors is
+ # that this pipeline is already reaching the limit on script compilations.
+ #
+ #*******************************************************************************
+ # Code generated by go generate. DO NOT EDIT.
+ #*******************************************************************************
+ - script:
+ if: ctx._temp_?.orig_security != null
+ params:
+ ACPolicy:
+ target: ac_policy
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.rule_name]
+ AccessControlRuleAction:
+ target: access_control_rule_action
+ id: ["430002", "430003"]
+ ecs: [event.outcome]
+ AccessControlRuleName:
+ target: access_control_rule_name
+ id: ["430002", "430003"]
+ ecs: [_temp_.cisco.rule_name]
+ AccessControlRuleReason:
+ target: access_control_rule_reason
+ id: ["430002", "430003"]
+ ApplicationProtocol:
+ target: application_protocol
+ ecs: [network.protocol]
+ ArchiveDepth:
+ target: archive_depth
+ id: ["430004", "430005"]
+ ArchiveFileName:
+ target: archive_file_name
+ id: ["430004", "430005"]
+ ecs: [file.name]
+ ArchiveFileStatus:
+ target: archive_file_status
+ id: ["430004", "430005"]
+ ArchiveSHA256:
+ target: archive_sha256
+ id: ["430004", "430005"]
+ ecs: [file.hash.sha256]
+ Classification:
+ target: classification
+ id: ["430001"]
+ Client:
+ target: client
+ ecs: [network.application]
+ ClientVersion:
+ target: client_version
+ id: ["430002", "430003"]
+ ConnectionDuration:
+ target: connection_duration
+ id: ["430003"]
+ ecs: [event.duration]
+ DNS_Sinkhole:
+ target: dns_sinkhole
+ id: ["430002", "430003"]
+ DNS_TTL:
+ target: dns_ttl
+ id: ["430002", "430003"]
+ DNSQuery:
+ target: dns_query
+ id: ["430002", "430003"]
+ ecs: [dns.question.name]
+ DNSRecordType:
+ target: dns_record_type
+ id: ["430002", "430003"]
+ ecs: [dns.question.type]
+ DNSResponseType:
+ target: dns_response_type
+ id: ["430002", "430003"]
+ ecs: [dns.response_code]
+ DNSSICategory:
+ target: dnssi_category
+ id: ["430002", "430003"]
+ DstIP:
+ target: dst_ip
+ ecs: [destination.address]
+ DstPort:
+ target: dst_port
+ ecs: [destination.port]
+ EgressInterface:
+ target: egress_interface
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.destination_interface]
+ EgressZone:
+ target: egress_zone
+ id: ["430001", "430002", "430003"]
+ Endpoint Profile:
+ target: endpoint_profile
+ id: ["430002", "430003"]
+ FileAction:
+ target: file_action
+ id: ["430004", "430005"]
+ FileCount:
+ target: file_count
+ id: ["430002", "430003"]
+ FileDirection:
+ target: file_direction
+ id: ["430004", "430005"]
+ FileName:
+ target: file_name
+ id: ["430004", "430005"]
+ ecs: [file.name]
+ FilePolicy:
+ target: file_policy
+ id: ["430004", "430005"]
+ ecs: [_temp_.cisco.rule_name]
+ FileSHA256:
+ target: file_sha256
+ id: ["430004", "430005"]
+ ecs: [file.hash.sha256]
+ FileSandboxStatus:
+ target: file_sandbox_status
+ id: ["430004", "430005"]
+ FileSize:
+ target: file_size
+ id: ["430004", "430005"]
+ ecs: [file.size]
+ FileStorageStatus:
+ target: file_storage_status
+ id: ["430004", "430005"]
+ FileType:
+ target: file_type
+ id: ["430004", "430005"]
+ FirstPacketSecond:
+ target: first_packet_second
+ id: ["430004", "430005"]
+ ecs: [event.start]
+ GID:
+ target: gid
+ id: ["430001"]
+ ecs: [service.id]
+ HTTPReferer:
+ target: http_referer
+ id: ["430002", "430003"]
+ ecs: [http.request.referrer]
+ HTTPResponse:
+ target: http_response
+ id: ["430001", "430002", "430003"]
+ ecs: [http.response.status_code]
+ ICMPCode:
+ target: icmp_code
+ id: ["430001", "430002", "430003"]
+ ICMPType:
+ target: icmp_type
+ id: ["430001", "430002", "430003"]
+ IPReputationSICategory:
+ target: ip_reputation_si_category
+ id: ["430002", "430003"]
+ IPSCount:
+ target: ips_count
+ id: ["430002", "430003"]
+ IngressInterface:
+ target: ingress_interface
+ id: ["430001", "430002", "430003"]
+ ecs: [_temp_.cisco.source_interface]
+ IngressZone:
+ target: ingress_zone
+ id: ["430001", "430002", "430003"]
+ InitiatorBytes:
+ target: initiator_bytes
+ id: ["430003"]
+ ecs: [source.bytes]
+ InitiatorPackets:
+ target: initiator_packets
+ id: ["430003"]
+ ecs: [source.packets]
+ InlineResult:
+ target: inline_result
+ id: ["430001"]
+ ecs: [event.outcome]
+ IntrusionPolicy:
+ target: intrusion_policy
+ id: ["430001"]
+ ecs: [_temp_.cisco.rule_name]
+ MPLS_Label:
+ target: mpls_label
+ id: ["430001"]
+ Message:
+ target: message
+ id: ["430001"]
+ ecs: [message]
+ NAPPolicy:
+ target: nap_policy
+ id: ["430001", "430002", "430003"]
+ NetBIOSDomain:
+ target: net_bios_domain
+ id: ["430002", "430003"]
+ ecs: [host.hostname]
+ NumIOC:
+ target: num_ioc
+ id: ["430001"]
+ Prefilter Policy:
+ target: prefilter_policy
+ id: ["430002", "430003"]
+ Priority:
+ target: priority
+ id: ["430001"]
+ Protocol:
+ target: protocol
+ ecs: [network.transport]
+ ReferencedHost:
+ target: referenced_host
+ id: ["430002", "430003"]
+ ecs: [url.domain]
+ ResponderBytes:
+ target: responder_bytes
+ id: ["430003"]
+ ecs: [destination.bytes]
+ ResponderPackets:
+ target: responder_packets
+ id: ["430003"]
+ ecs: [destination.packets]
+ Revision:
+ target: revision
+ id: ["430001"]
+ SHA_Disposition:
+ target: sha_disposition
+ id: ["430004", "430005"]
+ SID:
+ target: sid
+ id: ["430001"]
+ SSLActualAction:
+ target: ssl_actual_action
+ ecs: [event.outcome]
+ SSLCertificate:
+ target: ssl_certificate
+ id: ["430002", "430003", "430004", "430005"]
+ SSLExpectedAction:
+ target: ssl_expected_action
+ id: ["430002", "430003"]
+ SSLFlowStatus:
+ target: ssl_flow_status
+ id: ["430002", "430003", "430004", "430005"]
+ SSLPolicy:
+ target: ssl_policy
+ id: ["430002", "430003"]
+ SSLRuleName:
+ target: ssl_rule_name
+ id: ["430002", "430003"]
+ SSLServerCertStatus:
+ target: ssl_server_cert_status
+ id: ["430002", "430003"]
+ SSLServerName:
+ target: ssl_server_name
+ id: ["430002", "430003"]
+ ecs: [server.domain]
+ SSLSessionID:
+ target: ssl_session_id
+ id: ["430002", "430003"]
+ SSLTicketID:
+ target: ssl_ticket_id
+ id: ["430002", "430003"]
+ SSLURLCategory:
+ target: sslurl_category
+ id: ["430002", "430003"]
+ SSLVersion:
+ target: ssl_version
+ id: ["430002", "430003"]
+ SSSLCipherSuite:
+ target: sssl_cipher_suite
+ id: ["430002", "430003"]
+ SecIntMatchingIP:
+ target: sec_int_matching_ip
+ id: ["430002", "430003"]
+ Security Group:
+ target: security_group
+ id: ["430002", "430003"]
+ SperoDisposition:
+ target: spero_disposition
+ id: ["430004", "430005"]
+ SrcIP:
+ target: src_ip
+ ecs: [source.address]
+ SrcPort:
+ target: src_port
+ ecs: [source.port]
+ TCPFlags:
+ target: tcp_flags
+ id: ["430002", "430003"]
+ ThreatName:
+ target: threat_name
+ id: ["430005"]
+ ecs: [_temp_.cisco.threat_category]
+ ThreatScore:
+ target: threat_score
+ id: ["430005"]
+ ecs: [_temp_.cisco.threat_level]
+ Tunnel or Prefilter Rule:
+ target: tunnel_or_prefilter_rule
+ id: ["430002", "430003"]
+ URI:
+ target: uri
+ id: ["430004", "430005"]
+ ecs: [url.original]
+ URL:
+ target: url
+ id: ["430002", "430003"]
+ ecs: [url.original]
+ URLCategory:
+ target: url_category
+ id: ["430002", "430003"]
+ URLReputation:
+ target: url_reputation
+ id: ["430002", "430003"]
+ URLSICategory:
+ target: urlsi_category
+ id: ["430002", "430003"]
+ User:
+ target: user
+ ecs: [user.id, user.name]
+ UserAgent:
+ target: user_agent
+ id: ["430002", "430003"]
+ ecs: [user_agent.original]
+ VLAN_ID:
+ target: vlan_id
+ id: ["430001", "430002", "430003"]
+ WebApplication:
+ target: web_application
+ ecs: [network.application]
+ originalClientSrcIP:
+ target: original_client_src_ip
+ id: ["430002", "430003"]
+ ecs: [client.address]
+ lang: painless
+ source: |
+ boolean isEmpty(def value) {
+ return (value instanceof AbstractList? value.size() : value.length()) == 0;
+ }
+ def appendOrCreate(Map dest, String[] path, def value) {
+ for (int i=0; i new HashMap());
+ }
+ String key = path[path.length - 1];
+ def existing = dest.get(key);
+ return existing == null?
+ dest.put(key, value)
+ : existing instanceof AbstractList?
+ existing.add(value)
+ : dest.put(key, new ArrayList([existing, value]));
+ }
+ def msg = ctx._temp_.orig_security;
+ def counters = new HashMap();
+ def dest = new HashMap();
+ ctx._temp_.cisco['security'] = dest;
+ for (entry in msg.entrySet()) {
+ def param = params.get(entry.getKey());
+ if (param == null) {
+ continue;
+ }
+ param.getOrDefault('id', []).forEach( id -> counters[id] = 1 + counters.getOrDefault(id, 0) );
+ if (!isEmpty(entry.getValue())) {
+ param.getOrDefault('ecs', []).forEach( field -> appendOrCreate(ctx, field.splitOnToken('.'), entry.getValue()) );
+ dest[param.target] = entry.getValue();
+ }
+ }
+ if (ctx._temp_.cisco.message_id != "") return;
+ def best;
+ for (entry in counters.entrySet()) {
+ if (best == null || best.getValue() < entry.getValue()) best = entry;
+ }
+ if (best != null) ctx._temp_.cisco.message_id = best.getKey();
+ #*******************************************************************************
+ # End of generated code.
+ #*******************************************************************************
+
+ #
+ # Normalize ECS field values
+ #
+ - script:
+ lang: painless
+ params:
+ "ctx._temp_.cisco.message_id":
+ target: event.action
+ map:
+ "430001": intrusion-detected
+ "430002": connection-started
+ "430003": connection-finished
+ "430004": file-detected
+ "430005": malware-detected
+ "dns.question.type":
+ map:
+ "a host address": A
+ "ip6 address": AAAA
+ "text strings": TXT
+ "a domain name pointer": PTR
+ "an authoritative name server": NS
+ "the canonical name for an alias": CNAME
+ "marks the start of a zone of authority": SOA
+ "mail exchange": MX
+ "server selection": SRV
+ "dns.response_code":
+ map:
+ "non-existent domain": NXDOMAIN
+ "server failure": SERVFAIL
+ "query refused": REFUSED
+ "no error": NOERROR
+ source: |
+ def getField(Map src, String[] path) {
+ for (int i=0; i new HashMap());
+ }
+ dest[path[path.length-1]] = value;
+ }
+ for (entry in params.entrySet()) {
+ def srcField = entry.getKey();
+ def param = entry.getValue();
+ String oldVal = getField(ctx, srcField.splitOnToken('.'));
+ if (oldVal == null) continue;
+ def newVal = param.map?.getOrDefault(oldVal.toLowerCase(), null);
+ if (newVal != null) {
+ def dstField = param.getOrDefault('target', srcField);
+ setField(ctx, dstField.splitOnToken('.'), newVal);
+ }
+ }
+ - set:
+ if: "ctx.dns?.question?.type != null && ctx.dns?.response_code == null"
+ field: dns.response_code
+ value: NOERROR
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430001"'
+ field: event.action
+ value: intrusion-detected
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430002"'
+ field: event.action
+ value: connection-started
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430003"'
+ field: event.action
+ value: connection-finished
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430004"'
+ field: event.action
+ value: file-detected
+ - set:
+ if: 'ctx._temp_.cisco.message_id == "430005"'
+ field: event.action
+ value: malware-detected
+
+ #
+ # Handle event.duration
+ #
+ # It can be set from ConnectionDuration FTD field above. This field holds
+ # seconds as a string. Copy it to _temp_.duration_hms so that the following
+ # processor converts it to the right value and populates start and end.
+ - set:
+ field: "_temp_.duration_hms"
+ value: "{{event.duration}}"
+ ignore_empty_value: true
+
+ #
+ # Process the flow duration "hh:mm:ss" present in some messages
+ # This will fill event.start, event.end and event.duration
+ #
+ - script:
+ lang: painless
+ if: "ctx?._temp_?.duration_hms != null"
+ source: >
+ long parse_hms(String s) {
+ long cur = 0, total = 0;
+ for (char c: s.toCharArray()) {
+ if (c >= (char)'0' && c <= (char)'9') {
+ cur = (cur*10) + (long)c - (char)'0';
+ } else if (c == (char)':') {
+ total = (total + cur) * 60;
+ cur = 0;
+ } else {
+ return 0;
+ }
+ }
+ return total + cur;
+ }
+ if (ctx?.event == null) {
+ ctx['event'] = new HashMap();
+ }
+ String end = ctx['@timestamp'];
+ ctx.event['end'] = end;
+ long nanos = parse_hms(ctx._temp_.duration_hms) * 1000000000L;
+ ctx.event['duration'] = nanos;
+ ctx.event['start'] = ZonedDateTime.ofInstant(
+ Instant.parse(end).minusNanos(nanos),
+ ZoneOffset.UTC);
+ #
+ # Normalize protocol names
+ #
+ - lowercase:
+ field: "network.transport"
+ ignore_failure: true
+ - lowercase:
+ field: "network.protocol"
+ ignore_failure: true
+ - lowercase:
+ field: "network.application"
+ ignore_failure: true
+ - lowercase:
+ field: "file.type"
+ ignore_failure: true
+ - lowercase:
+ field: "network.direction"
+ ignore_failure: true
+ - lowercase:
+ field: "network.type"
+ ignore_failure: true
+ #
+ # Populate network.iana_number from network.transport. Also does reverse
+ # mapping in case network.transport contains the iana_number.
+ #
+ - script:
+ if: "ctx?.network?.transport != null"
+ lang: painless
+ params:
+ icmp: 1
+ igmp: 2
+ ipv4: 4
+ tcp: 6
+ egp: 8
+ igp: 9
+ pup: 12
+ udp: 17
+ rdp: 27
+ irtp: 28
+ dccp: 33
+ idpr: 35
+ ipv6: 41
+ ipv6-route: 43
+ ipv6-frag: 44
+ rsvp: 46
+ gre: 47
+ esp: 50
+ ipv6-icmp: 58
+ ipv6-nonxt: 59
+ ipv6-opts: 60
+ source: >
+ def net = ctx.network;
+ def iana = params[net.transport];
+ if (iana != null) {
+ net['iana_number'] = iana;
+ return;
+ }
+ def reverse = new HashMap();
+ def[] arr = new def[] { null };
+ for (entry in params.entrySet()) {
+ arr[0] = entry.getValue();
+ reverse.put(String.format("%d", arr), entry.getKey());
+ }
+ def trans = reverse[net.transport];
+ if (trans != null) {
+ net['iana_number'] = net.transport;
+ net['transport'] = trans;
+ }
+ #
+ # Normalize event.outcome
+ #
+ - lowercase:
+ field: "event.outcome"
+ ignore_missing: true
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "est-allowed"'
+ value: success
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "permitted"'
+ value: success
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "allow"'
+ value: success
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "denied"'
+ value: failure
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "deny"'
+ value: failure
+ - set:
+ field: "event.outcome"
+ if: 'ctx.event?.outcome == "dropped"'
+ value: failure
+ - set:
+ field: "network.transport"
+ if: 'ctx.network?.transport == "icmpv6"'
+ value: "ipv6-icmp"
+ #
+ # Convert numeric fields to integer or long, as output of dissect and kv processors is always a string
+ #
+ - convert:
+ field: source.port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: destination.port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: source.bytes
+ type: long
+ ignore_failure: true
+ - convert:
+ field: destination.bytes
+ type: long
+ ignore_failure: true
+ - convert:
+ field: network.bytes
+ type: long
+ ignore_failure: true
+ - convert:
+ field: source.packets
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: destination.packets
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.mapped_source_port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.mapped_destination_port
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.icmp_code
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: _temp_.cisco.icmp_type
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: http.response.status_code
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: file.size
+ type: integer
+ ignore_failure: true
+ - convert:
+ field: network.iana_number
+ type: string
+ ignore_failure: true
+ #
+ # Assign ECS .ip fields from .address is a valid IP address is found,
+ # otherwise set .domain field.
+ #
+ - grok:
+ field: source.address
+ patterns:
+ - "^(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})$"
+ ignore_failure: true
+ - grok:
+ field: destination.address
+ patterns:
+ - "^(?:%{IP:destination.ip}|%{GREEDYDATA:destination.domain})$"
+ ignore_failure: true
+ - grok:
+ field: client.address
+ patterns:
+ - "^(?:%{IP:client.ip}|%{GREEDYDATA:client.domain})$"
+ ignore_failure: true
+ - grok:
+ field: server.address
+ patterns:
+ - "^(?:%{IP:server.ip}|%{GREEDYDATA:server.domain})$"
+ ignore_failure: true
+ #
+ # Geolocation for source and destination addresses
+ #
+ - geoip:
+ field: "source.ip"
+ target_field: "source.geo"
+ ignore_missing: true
+ - geoip:
+ field: "destination.ip"
+ target_field: "destination.geo"
+ ignore_missing: true
+ #
+ # IP Autonomous System (AS) Lookup
+ #
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ #
+ # Set mapped_{src|dst}_ip fields only if they consist of a valid IP address.
+ #
+ - grok:
+ field: _temp_.natsrcip
+ patterns:
+ - "^(?:%{IP:_temp_.cisco.mapped_source_ip}|%{GREEDYDATA:_temp_.cisco.mapped_source_host})$"
+ ignore_failure: true
+ - grok:
+ field: _temp_.natdstip
+ patterns:
+ - "^(?:%{IP:_temp_.cisco.mapped_destination_ip}|%{GREEDYDATA:_temp_.cisco.mapped_destination_host})$"
+ ignore_failure: true
+ #
+ # NAT fields
+ #
+ # The firewall always populates mapped ip and port even if there was no NAT.
+ # This populates both nat.ip and nat.port only when some translation is done.
+ # Fills nat.ip and nat.port even when only the ip or port changed.
+ - set:
+ field: source.nat.ip
+ value: "{{_temp_.cisco.mapped_source_ip}}"
+ if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip"
+ ignore_empty_value: true
+ - convert:
+ field: source.nat.ip
+ type: ip
+ ignore_missing: true
+ - set:
+ field: source.nat.port
+ value: "{{_temp_.cisco.mapped_source_port}}"
+ if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port"
+ ignore_empty_value: true
+ - convert:
+ field: source.nat.port
+ type: long
+ ignore_missing: true
+ - set:
+ field: destination.nat.ip
+ value: "{{_temp_.cisco.mapped_destination_ip}}"
+ if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip"
+ ignore_empty_value: true
+ - convert:
+ field: destination.nat.ip
+ type: ip
+ ignore_missing: true
+ - set:
+ field: destination.nat.port
+ value: "{{_temp_.cisco.mapped_destination_port}}"
+ if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port"
+ ignore_empty_value: true
+ - convert:
+ field: destination.nat.port
+ type: long
+ ignore_missing: true
+ #
+ # Zone-based Network Directionality
+ #
+ # If external and internal zones are specified and our ingress/egress zones are
+ # populated, then we can classify traffic directionality based off of our defined
+ # zones rather than the logs.
+ - set:
+ field: network.direction
+ value: inbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ - set:
+ field: network.direction
+ value: outbound
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: internal
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.internal_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: external
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ ctx._temp_.external_zones.contains(ctx.observer.ingress.zone)
+ - set:
+ field: network.direction
+ value: unknown
+ if: >
+ ctx?._temp_?.external_zones != null &&
+ ctx?._temp_?.internal_zones != null &&
+ ctx?.observer?.egress?.zone != null &&
+ ctx?.observer?.ingress?.zone != null &&
+ (
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.egress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.egress.zone)
+ ) ||
+ (
+ !ctx._temp_.external_zones.contains(ctx.observer.ingress.zone) &&
+ !ctx._temp_.internal_zones.contains(ctx.observer.ingress.zone)
+ )
+ )
+
+ - set:
+ field: _temp_.url_domain
+ value: "{{url.domain}}"
+ ignore_failure: true
+ if: ctx?.url?.domain != null
+
+ - uri_parts:
+ field: url.original
+ ignore_failure: true
+ if: ctx?.url?.original != null
+ - append:
+ field: url.domain
+ value: "{{_temp_.url_domain}}"
+ ignore_failure: true
+ allow_duplicates: false
+ if: ctx?._temp_?.url_domain != null
+
+ #
+ # Populate ECS event.code
+ #
+ - rename:
+ field: _temp_.cisco.message_id
+ target_field: event.code
+ ignore_failure: true
+ - remove:
+ field:
+ - _temp_.cisco.message_id
+ - event.code
+ if: 'ctx._temp_.cisco.message_id == ""'
+ ignore_failure: true
+ #
+ # Copy _temp_.cisco to its final destination, cisco.asa or cisco.ftd.
+ #
+ - rename:
+ field: _temp_.cisco
+ target_field: "cisco.ftd"
+ ignore_failure: true
+ #
+ # Remove temporary fields
+ #
+ - remove:
+ field: _temp_
+ ignore_missing: true
+ #
+ # Rename some 7.x fields
+ #
+ - rename:
+ field: cisco.ftd.list_id
+ target_field: cisco.ftd.rule_name
+ ignore_missing: true
+ # ECS categorization
+ - script:
+ lang: painless
+ params:
+ connection-finished:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - end
+ connection-started:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - start
+ file-detected:
+ kind: alert
+ category:
+ - malware
+ type:
+ - info
+ firewall-rule:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ flow-expiration:
+ kind: event
+ category:
+ - network
+ type:
+ - connection
+ - end
+ intrusion-detected:
+ kind: alert
+ category:
+ - intrusion_detection
+ type:
+ - info
+ malware-detected:
+ kind: event
+ category:
+ - malware
+ type:
+ - info
+ bypass:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - change
+ error:
+ kind: event
+ outcome: failure
+ category:
+ - network
+ type:
+ - error
+ deleted:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - deletion
+ - user
+ creation:
+ kind: event
+ category:
+ - network
+ type:
+ - info
+ - creation
+ - user
+ source: >-
+ if (ctx?.event?.action == null || !params.containsKey(ctx.event.action)) {
+ return;
+ }
+ ctx.event.kind = params.get(ctx.event.action).get('kind');
+ ctx.event.category = params.get(ctx.event.action).get('category').clone();
+ ctx.event.type = params.get(ctx.event.action).get('type').clone();
+ if (ctx?.event?.outcome == null) {
+ return;
+ }
+ if (ctx.event.category.contains('network') || ctx.event.category.contains('intrusion_detection')) {
+ if (ctx.event.outcome == 'success') {
+ ctx.event.type.add('allowed');
+ }
+ if (ctx.event.outcome == 'failure') {
+ ctx.event.type.add('denied');
+ }
+ if (ctx.event.outcome == 'block') {
+ ctx.event.outcome = 'success';
+ ctx.event.type.add('denied');
+ }
+ if (ctx.event.outcome == 'monitored') {
+ ctx.event.category.add('intrusion_detection');
+ ctx.event.outcome = 'success';
+ }
+ }
+
+ # Malware event kind is classified as alert when sha_disposition is "Malware", "Custom Detection" not for other cases.
+ - set:
+ if: 'ctx?.event?.code == "430005" && ["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)'
+ field: event.kind
+ value: alert
+ - append:
+ if: 'ctx?.event?.code == "430005" && !["Malware", "Custom Detection"].contains(ctx.cisco.ftd.security.sha_disposition)'
+ field: event.category
+ value: file
+
+ - set:
+ description: copy destination.user.name to user.name if it is not set
+ field: user.name
+ value: "{{destination.user.name}}"
+ ignore_empty_value: true
+ if: ctx?.user?.name == null
+
+ # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname.
+ - set:
+ field: observer.hostname
+ value: "{{ host.hostname }}"
+ ignore_empty_value: true
+ - set:
+ field: observer.vendor
+ value: "Cisco"
+ ignore_empty_value: true
+ - set:
+ field: observer.type
+ value: "idps"
+ ignore_empty_value: true
+ - set:
+ field: observer.product
+ value: "ftd"
+ ignore_empty_value: true
+ - set:
+ field: observer.egress.interface.name
+ value: "{{ cisco.ftd.destination_interface }}"
+ ignore_empty_value: true
+ - set:
+ field: observer.ingress.interface.name
+ value: "{{ cisco.ftd.source_interface }}"
+ ignore_empty_value: true
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ if: "ctx?.source?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{source.nat.ip}}"
+ if: "ctx?.source?.nat?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ if: "ctx?.destination?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.ip
+ value: "{{destination.nat.ip}}"
+ if: "ctx?.destination?.nat?.ip != null"
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{user.name}}"
+ if: ctx?.user?.name != null && ctx?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{server.user.name}}"
+ if: ctx?.server?.user?.name != null && ctx?.server?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{source.user.name}}"
+ if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.user
+ value: "{{destination.user.name}}"
+ if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''
+ allow_duplicates: false
+ - append:
+ field: related.hash
+ value: "{{file.hash.sha256}}"
+ if: "ctx?.file?.hash?.sha256 != null"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{host.hostname}}"
+ if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{observer.hostname}}"
+ if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{destination.domain}}"
+ if: ctx.destination?.domain != null && ctx.destination?.domain != ''
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{source.domain}}"
+ if: ctx.source?.domain != null && ctx.source?.domain != ''
+ allow_duplicates: false
+ - script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ # Copy any fields under _temp_.cisco to its final destination. Those can help
+ # with diagnosing the failure.
+ - rename:
+ field: _temp_.cisco
+ target_field: "cisco.ftd"
+ ignore_failure: true
+ # Remove _temp_ to avoid adding a lot of unnecessary fields to the index.
+ - remove:
+ field: _temp_
+ ignore_missing: true
+ - append:
+ field: "error.message"
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/fields/agent.yml b/packages/cisco_ftd/2.2.2/data_stream/log/fields/agent.yml
new file mode 100755
index 0000000000..d38a70bd6b
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/fields/agent.yml
@@ -0,0 +1,207 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.source.address
+ type: keyword
+ description: Source address from which the log event was read / sent from.
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/2.2.2/data_stream/log/fields/base-fields.yml
new file mode 100755
index 0000000000..e02b7e2a25
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: cisco_ftd
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: cisco_ftd.log
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/2.2.2/data_stream/log/fields/ecs.yml
new file mode 100755
index 0000000000..36680e0077
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/fields/ecs.yml
@@ -0,0 +1,582 @@
+- description: |-
+ Date/time when the event originated.
+ This is the date/time extracted from the event, typically representing when the event was generated by the source.
+ If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
+ Required field for all events.
+ name: '@timestamp'
+ type: date
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: client.user.name
+ type: keyword
+- description: |-
+ Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: destination.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: Bytes sent from the destination to the source.
+ name: destination.bytes
+ type: long
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.ip
+ type: ip
+- description: |-
+ Port the source session is translated to by NAT Device.
+ Typically used with load balancers, firewalls, or routers.
+ name: destination.nat.port
+ type: long
+- description: Packets sent from the destination to the source.
+ name: destination.packets
+ type: long
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.user.name
+ type: keyword
+- description: |-
+ The name being queried.
+ If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+ name: dns.question.name
+ type: keyword
+- description: The type of record being queried.
+ name: dns.question.type
+ type: keyword
+- description: The DNS response code.
+ name: dns.response_code
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Identification code for this event, if one exists.
+ Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+ name: event.code
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Duration of the event in nanoseconds.
+ If event.start and event.end are known this value should be the difference between the end and start time.
+ name: event.duration
+ type: long
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ Source of the event.
+ Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+ name: event.provider
+ type: keyword
+- description: |-
+ Reason why this event happened, according to the source.
+ This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`).
+ name: event.reason
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
+ Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
+ name: event.timezone
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: SHA256 hash.
+ name: file.hash.sha256
+ type: keyword
+- description: Name of the file including the extension, without the directory.
+ name: file.name
+ type: keyword
+- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: file.path
+ type: keyword
+- description: |-
+ File size in bytes.
+ Only relevant when `file.type` is "file".
+ name: file.size
+ type: long
+- description: Referrer for this HTTP request.
+ name: http.request.referrer
+ type: keyword
+- description: HTTP response status code.
+ name: http.response.status_code
+ type: long
+- description: |-
+ Custom key/value pairs.
+ Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
+ Example: `docker` and `k8s` labels.
+ name: labels
+ type: object
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: |-
+ Original log level of the log event.
+ If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+ Some examples are `warn`, `err`, `i`, `informational`.
+ name: log.level
+ type: keyword
+- description: |-
+ Syslog numeric priority of the event, if available.
+ According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
+ name: log.syslog.priority
+ type: long
+- description: |-
+ The Syslog numeric facility of the log event, if available.
+ According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
+ name: log.syslog.facility.code
+ type: long
+- description: |-
+ The Syslog numeric severity of the log event, if available.
+ If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`.
+ name: log.syslog.severity.code
+ type: long
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name.
+ For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`.
+ The field value must be normalized to lowercase for querying.
+ name: network.application
+ type: keyword
+- description: |-
+ Total bytes transferred in both directions.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+ name: network.bytes
+ type: long
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
+ name: network.inner
+ type: object
+- description: VLAN ID as reported by the observer.
+ name: network.inner.vlan.id
+ type: keyword
+- description: Optional VLAN name as reported by the observer.
+ name: network.inner.vlan.name
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`.
+ The field value must be normalized to lowercase for querying.
+ name: network.protocol
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+ The field value must be normalized to lowercase for querying.
+ name: network.type
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.egress.interface.name
+ type: keyword
+- description: Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
+ name: observer.egress.zone
+ type: keyword
+- description: Hostname of the observer.
+ name: observer.hostname
+ type: keyword
+- description: Interface name as reported by the system.
+ name: observer.ingress.interface.name
+ type: keyword
+- description: Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
+ name: observer.ingress.zone
+ type: keyword
+- description: IP addresses of the observer.
+ name: observer.ip
+ type: ip
+- description: |-
+ Custom name of the observer.
+ This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization.
+ If no custom name is needed, the field can be left empty.
+ name: observer.name
+ type: keyword
+- description: The product name of the observer.
+ name: observer.product
+ type: keyword
+- description: |-
+ The type of the observer the data is coming from.
+ There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
+ name: observer.type
+ type: keyword
+- description: Vendor name of the observer.
+ name: observer.vendor
+ type: keyword
+- description: Observer version.
+ name: observer.version
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: Process id.
+ name: process.pid
+ type: long
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: |-
+ Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
+ This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
+ Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
+ name: service.id
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ Translated ip of source based NAT sessions (e.g. internal client to internet)
+ Typically connections traversing load balancers, firewalls, or routers.
+ name: source.nat.ip
+ type: ip
+- description: |-
+ Translated port of source based NAT sessions. (e.g. internal client to internet)
+ Typically used with load balancers, firewalls, or routers.
+ name: source.nat.port
+ type: long
+- description: Packets sent from the source to the destination.
+ name: source.packets
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.user.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ Domain of the url, such as "www.elastic.co".
+ In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
+ If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.
+ name: url.domain
+ type: keyword
+- description: |-
+ The field contains the file extension from the original request url, excluding the leading dot.
+ The file extension is only set if it exists, as not every url has a file extension.
+ The leading period must not be included. For example, the value must be "png", not ".png".
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: url.extension
+ type: keyword
+- description: |-
+ Portion of the url after the `#`, such as "top".
+ The `#` is not part of the fragment.
+ name: url.fragment
+ type: keyword
+- description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.full
+ type: wildcard
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: Password of the request.
+ name: url.password
+ type: keyword
+- description: Path of the request, such as "/search".
+ name: url.path
+ type: wildcard
+- description: Port of the request, such as 443.
+ name: url.port
+ type: long
+- description: |-
+ The query field describes the query string of the request, such as "q=elasticsearch".
+ The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
+ name: url.query
+ type: keyword
+- description: |-
+ The highest registered url domain, stripped of the subdomain.
+ For example, the registered domain for "foo.example.com" is "example.com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+ name: url.registered_domain
+ type: keyword
+- description: |-
+ Scheme of the request, such as "https".
+ Note: The `:` is not part of the scheme.
+ name: url.scheme
+ type: keyword
+- description: |-
+ The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain.
+ For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+ name: url.subdomain
+ type: keyword
+- description: |-
+ The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+ name: url.top_level_domain
+ type: keyword
+- description: Username of the request.
+ name: url.username
+ type: keyword
+- description: User email address.
+ name: user.email
+ type: keyword
+- description: Unique identifier of the user.
+ name: user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: |-
+ Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: server.address
+ type: keyword
+- description: Port of the server.
+ name: server.port
+ type: long
+- description: IP address of the server (IPv4 or IPv6).
+ name: server.ip
+ type: ip
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: server.user.name
+ type: keyword
+- description: |-
+ The domain name of the client system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: client.domain
+ type: keyword
+- description: |-
+ Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: client.address
+ type: keyword
+- description: Port of the client.
+ name: client.port
+ type: long
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/fields/fields.yml b/packages/cisco_ftd/2.2.2/data_stream/log/fields/fields.yml
new file mode 100755
index 0000000000..26b46deb16
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/fields/fields.yml
@@ -0,0 +1,149 @@
+- name: cisco.ftd
+ type: group
+ fields:
+ - name: message_id
+ type: keyword
+ description: |
+ The Cisco FTD message identifier.
+ - name: suffix
+ type: keyword
+ description: |
+ Optional suffix after %FTD identifier.
+ - name: source_interface
+ type: keyword
+ description: |
+ Source interface for the flow or event.
+ - name: destination_interface
+ type: keyword
+ description: |
+ Destination interface for the flow or event.
+ - name: rule_name
+ type: keyword
+ description: |
+ Name of the Access Control List rule that matched this event.
+ - name: source_username
+ type: keyword
+ description: |
+ Name of the user that is the source for this event.
+ - name: destination_username
+ type: keyword
+ description: |
+ Name of the user that is the destination for this event.
+ - name: mapped_source_ip
+ type: ip
+ description: |
+ The translated source IP address.
+ - name: mapped_source_port
+ type: long
+ description: |
+ The translated source port.
+ - name: mapped_destination_ip
+ type: ip
+ description: |
+ The translated destination IP address.
+ - name: mapped_destination_port
+ type: long
+ description: |
+ The translated destination port.
+ - name: threat_level
+ type: keyword
+ description: |
+ Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
+ - name: threat_category
+ type: keyword
+ description: |
+ Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
+ - name: connection_id
+ type: keyword
+ description: |
+ Unique identifier for a flow.
+ - name: icmp_type
+ type: short
+ description: |
+ ICMP type.
+ - name: icmp_code
+ type: short
+ description: |
+ ICMP code.
+ - name: connection_type
+ type: keyword
+ description: |
+ The VPN connection type
+ - name: dap_records
+ type: keyword
+ description: |
+ The assigned DAP records
+ - name: mapped_destination_host
+ type: keyword
+ - name: username
+ type: keyword
+ - name: mapped_source_host
+ type: keyword
+ - name: command_line_arguments
+ default_field: false
+ type: keyword
+ description: |
+ The command line arguments logged by the local audit log
+ - name: assigned_ip
+ default_field: false
+ type: ip
+ description: |
+ The IP address assigned to a VPN client successfully connecting
+ - name: privilege.old
+ default_field: false
+ type: keyword
+ description: |
+ When a users privilege is changed this is the old value
+ - name: privilege.new
+ default_field: false
+ type: keyword
+ description: |
+ When a users privilege is changed this is the new value
+ - name: burst.object
+ default_field: false
+ type: keyword
+ description: |
+ The related object for burst warnings
+ - name: burst.id
+ default_field: false
+ type: keyword
+ description: |
+ The related rate ID for burst warnings
+ - name: burst.current_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current burst rate seen
+ - name: burst.configured_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current configured burst rate
+ - name: burst.avg_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current average burst rate seen
+ - name: burst.configured_avg_rate
+ default_field: false
+ type: keyword
+ description: |
+ The current configured average burst rate allowed
+ - name: burst.cumulative_count
+ default_field: false
+ type: keyword
+ description: |
+ The total count of burst rate hits since the object was created or cleared
+ - name: security
+ type: flattened
+ description: Cisco FTD security event fields.
+ - name: webvpn.group_name
+ type: keyword
+ default_field: false
+ description: |
+ The WebVPN group name the user belongs to
+ - name: termination_user
+ default_field: false
+ type: keyword
+ description: |-
+ AAA name of user requesting termination
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/manifest.yml b/packages/cisco_ftd/2.2.2/data_stream/log/manifest.yml
new file mode 100755
index 0000000000..4491bc8ae3
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/manifest.yml
@@ -0,0 +1,172 @@
+title: Cisco FTD logs
+type: logs
+streams:
+ - input: udp
+ title: Cisco FTD logs
+ description: Collect Cisco FTD logs
+ template_path: udp.yml.hbs
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-ftd
+ - forwarded
+ - name: udp_host
+ type: text
+ title: UDP host to listen on
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: udp_port
+ type: integer
+ title: UDP Port to listen on
+ multi: false
+ required: true
+ show_user: true
+ default: 9003
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - input: tcp
+ title: Cisco FTD logs
+ description: Collect Cisco FTD logs
+ template_path: tcp.yml.hbs
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-ftd
+ - forwarded
+ - name: tcp_host
+ type: text
+ title: TCP host to listen on
+ multi: false
+ required: true
+ show_user: true
+ default: localhost
+ - name: tcp_port
+ type: integer
+ title: TCP Port to listen on
+ multi: false
+ required: true
+ show_user: true
+ default: 9003
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - name: tcp_options
+ type: yaml
+ title: Custom TCP Options
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #max_connections: 1
+ #framing: delimitier
+ #line_delimiter: "\n"
+ description: Specify custom configuration options for the TCP input.
+ - input: logfile
+ enabled: false
+ title: Cisco FTD logs
+ description: Collect Cisco FTD logs from file
+ vars:
+ - name: paths
+ type: text
+ title: Paths
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - /var/log/cisco-ftd.log
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - cisco-ftd
+ - forwarded
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/packages/cisco_ftd/2.2.2/data_stream/log/sample_event.json b/packages/cisco_ftd/2.2.2/data_stream/log/sample_event.json
new file mode 100755
index 0000000000..161d408ca2
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/data_stream/log/sample_event.json
@@ -0,0 +1,156 @@
+{
+ "@timestamp": "2019-08-16T09:39:03.000Z",
+ "agent": {
+ "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751",
+ "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "cisco": {
+ "ftd": {
+ "rule_name": "malware-and-file-policy",
+ "security": {
+ "application_protocol": "HTTP",
+ "client": "cURL",
+ "dst_ip": "81.2.69.144",
+ "dst_port": "80",
+ "file_action": "Malware Cloud Lookup",
+ "file_direction": "Download",
+ "file_name": "eicar_com.zip",
+ "file_policy": "malware-and-file-policy",
+ "file_sandbox_status": "File Size Is Too Small",
+ "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
+ "file_size": "184",
+ "file_storage_status": "Not Stored (Disposition Was Pending)",
+ "file_type": "ZIP",
+ "first_packet_second": "2019-08-16T09:39:02Z",
+ "protocol": "tcp",
+ "sha_disposition": "Unavailable",
+ "spero_disposition": "Spero detection not performed on file",
+ "src_ip": "10.0.1.20",
+ "src_port": "46004",
+ "threat_name": "Win.Ransomware.Eicar::95.sbx.tg",
+ "uri": "http://www.eicar.org/download/eicar_com.zip",
+ "user": "No Authentication Required"
+ },
+ "threat_category": "Win.Ransomware.Eicar::95.sbx.tg"
+ }
+ },
+ "data_stream": {
+ "dataset": "cisco_ftd.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "81.2.69.144",
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1",
+ "snapshot": false,
+ "version": "8.2.0"
+ },
+ "event": {
+ "action": "malware-detected",
+ "agent_id_status": "verified",
+ "category": [
+ "malware",
+ "file"
+ ],
+ "code": "430005",
+ "dataset": "cisco_ftd.log",
+ "ingested": "2022-06-22T01:38:18Z",
+ "kind": "event",
+ "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip",
+ "severity": 1,
+ "start": "2019-08-16T09:39:02Z",
+ "timezone": "+00:00",
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "hash": {
+ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ },
+ "name": "eicar_com.zip",
+ "size": 184
+ },
+ "host": {
+ "hostname": "firepower"
+ },
+ "input": {
+ "type": "tcp"
+ },
+ "log": {
+ "level": "alert",
+ "source": {
+ "address": "172.31.0.6:55524"
+ }
+ },
+ "network": {
+ "application": "curl",
+ "iana_number": "6",
+ "protocol": "http",
+ "transport": "tcp"
+ },
+ "observer": {
+ "hostname": "firepower",
+ "product": "ftd",
+ "type": "idps",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hash": [
+ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ ],
+ "hosts": [
+ "firepower"
+ ],
+ "ip": [
+ "10.0.1.20",
+ "81.2.69.144"
+ ],
+ "user": [
+ "No Authentication Required"
+ ]
+ },
+ "source": {
+ "address": "10.0.1.20",
+ "ip": "10.0.1.20",
+ "port": 46004
+ },
+ "tags": [
+ "preserve_original_event",
+ "cisco-ftd",
+ "forwarded"
+ ],
+ "url": {
+ "domain": "www.eicar.org",
+ "extension": "zip",
+ "original": "http://www.eicar.org/download/eicar_com.zip",
+ "path": "/download/eicar_com.zip",
+ "scheme": "http"
+ },
+ "user": {
+ "id": "No Authentication Required",
+ "name": "No Authentication Required"
+ }
+}
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.2.2/docs/README.md b/packages/cisco_ftd/2.2.2/docs/README.md
new file mode 100755
index 0000000000..0e50692c48
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/docs/README.md
@@ -0,0 +1,397 @@
+# Cisco FTD Integration
+
+This integration is for [Cisco](https://www.cisco.com/c/en/us/support/security/index.html) Firepower Threat Defence (FTD) device's logs. The package processes syslog messages from Cisco Firepower devices
+
+It includes the following datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco Firepower Threat Defense (FTD) logs.
+
+## Configuration
+
+Cisco provides a range of Firepower devices, which may have different configuration steps. We recommend users navigate to the device specific configuration page, and search for/go to the "FTD Logging" or "Configure Logging on FTD" page for the specific device.
+
+## Logs
+
+### FTD
+
+The `log` dataset collects the Cisco Firepower Threat Defense (FTD) logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+ "@timestamp": "2019-08-16T09:39:03.000Z",
+ "agent": {
+ "ephemeral_id": "173348ff-0df7-4c59-b0b0-f4aad4a82751",
+ "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "cisco": {
+ "ftd": {
+ "rule_name": "malware-and-file-policy",
+ "security": {
+ "application_protocol": "HTTP",
+ "client": "cURL",
+ "dst_ip": "81.2.69.144",
+ "dst_port": "80",
+ "file_action": "Malware Cloud Lookup",
+ "file_direction": "Download",
+ "file_name": "eicar_com.zip",
+ "file_policy": "malware-and-file-policy",
+ "file_sandbox_status": "File Size Is Too Small",
+ "file_sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad",
+ "file_size": "184",
+ "file_storage_status": "Not Stored (Disposition Was Pending)",
+ "file_type": "ZIP",
+ "first_packet_second": "2019-08-16T09:39:02Z",
+ "protocol": "tcp",
+ "sha_disposition": "Unavailable",
+ "spero_disposition": "Spero detection not performed on file",
+ "src_ip": "10.0.1.20",
+ "src_port": "46004",
+ "threat_name": "Win.Ransomware.Eicar::95.sbx.tg",
+ "uri": "http://www.eicar.org/download/eicar_com.zip",
+ "user": "No Authentication Required"
+ },
+ "threat_category": "Win.Ransomware.Eicar::95.sbx.tg"
+ }
+ },
+ "data_stream": {
+ "dataset": "cisco_ftd.log",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "81.2.69.144",
+ "geo": {
+ "city_name": "London",
+ "continent_name": "Europe",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "location": {
+ "lat": 51.5142,
+ "lon": -0.0931
+ },
+ "region_iso_code": "GB-ENG",
+ "region_name": "England"
+ },
+ "ip": "81.2.69.144",
+ "port": 80
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b9045ecb-c8cf-4d1a-8b37-757e202e9ea1",
+ "snapshot": false,
+ "version": "8.2.0"
+ },
+ "event": {
+ "action": "malware-detected",
+ "agent_id_status": "verified",
+ "category": [
+ "malware",
+ "file"
+ ],
+ "code": "430005",
+ "dataset": "cisco_ftd.log",
+ "ingested": "2022-06-22T01:38:18Z",
+ "kind": "event",
+ "original": "2019-08-16T09:39:03Z firepower %FTD-1-430005: SrcIP: 10.0.1.20, DstIP: 81.2.69.144, SrcPort: 46004, DstPort: 80, Protocol: tcp, FileDirection: Download, FileAction: Malware Cloud Lookup, FileSHA256: 2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad, SHA_Disposition: Unavailable, SperoDisposition: Spero detection not performed on file, ThreatName: Win.Ransomware.Eicar::95.sbx.tg, FileName: eicar_com.zip, FileType: ZIP, FileSize: 184, ApplicationProtocol: HTTP, Client: cURL, User: No Authentication Required, FirstPacketSecond: 2019-08-16T09:39:02Z, FilePolicy: malware-and-file-policy, FileStorageStatus: Not Stored (Disposition Was Pending), FileSandboxStatus: File Size Is Too Small, URI: http://www.eicar.org/download/eicar_com.zip",
+ "severity": 1,
+ "start": "2019-08-16T09:39:02Z",
+ "timezone": "+00:00",
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "hash": {
+ "sha256": "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ },
+ "name": "eicar_com.zip",
+ "size": 184
+ },
+ "host": {
+ "hostname": "firepower"
+ },
+ "input": {
+ "type": "tcp"
+ },
+ "log": {
+ "level": "alert",
+ "source": {
+ "address": "172.31.0.6:55524"
+ }
+ },
+ "network": {
+ "application": "curl",
+ "iana_number": "6",
+ "protocol": "http",
+ "transport": "tcp"
+ },
+ "observer": {
+ "hostname": "firepower",
+ "product": "ftd",
+ "type": "idps",
+ "vendor": "Cisco"
+ },
+ "related": {
+ "hash": [
+ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
+ ],
+ "hosts": [
+ "firepower"
+ ],
+ "ip": [
+ "10.0.1.20",
+ "81.2.69.144"
+ ],
+ "user": [
+ "No Authentication Required"
+ ]
+ },
+ "source": {
+ "address": "10.0.1.20",
+ "ip": "10.0.1.20",
+ "port": 46004
+ },
+ "tags": [
+ "preserve_original_event",
+ "cisco-ftd",
+ "forwarded"
+ ],
+ "url": {
+ "domain": "www.eicar.org",
+ "extension": "zip",
+ "original": "http://www.eicar.org/download/eicar_com.zip",
+ "path": "/download/eicar_com.zip",
+ "scheme": "http"
+ },
+ "user": {
+ "id": "No Authentication Required",
+ "name": "No Authentication Required"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip |
+| cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword |
+| cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword |
+| cisco.ftd.burst.configured_rate | The current configured burst rate | keyword |
+| cisco.ftd.burst.cumulative_count | The total count of burst rate hits since the object was created or cleared | keyword |
+| cisco.ftd.burst.current_rate | The current burst rate seen | keyword |
+| cisco.ftd.burst.id | The related rate ID for burst warnings | keyword |
+| cisco.ftd.burst.object | The related object for burst warnings | keyword |
+| cisco.ftd.command_line_arguments | The command line arguments logged by the local audit log | keyword |
+| cisco.ftd.connection_id | Unique identifier for a flow. | keyword |
+| cisco.ftd.connection_type | The VPN connection type | keyword |
+| cisco.ftd.dap_records | The assigned DAP records | keyword |
+| cisco.ftd.destination_interface | Destination interface for the flow or event. | keyword |
+| cisco.ftd.destination_username | Name of the user that is the destination for this event. | keyword |
+| cisco.ftd.icmp_code | ICMP code. | short |
+| cisco.ftd.icmp_type | ICMP type. | short |
+| cisco.ftd.mapped_destination_host | | keyword |
+| cisco.ftd.mapped_destination_ip | The translated destination IP address. | ip |
+| cisco.ftd.mapped_destination_port | The translated destination port. | long |
+| cisco.ftd.mapped_source_host | | keyword |
+| cisco.ftd.mapped_source_ip | The translated source IP address. | ip |
+| cisco.ftd.mapped_source_port | The translated source port. | long |
+| cisco.ftd.message_id | The Cisco FTD message identifier. | keyword |
+| cisco.ftd.privilege.new | When a users privilege is changed this is the new value | keyword |
+| cisco.ftd.privilege.old | When a users privilege is changed this is the old value | keyword |
+| cisco.ftd.rule_name | Name of the Access Control List rule that matched this event. | keyword |
+| cisco.ftd.security | Cisco FTD security event fields. | flattened |
+| cisco.ftd.source_interface | Source interface for the flow or event. | keyword |
+| cisco.ftd.source_username | Name of the user that is the source for this event. | keyword |
+| cisco.ftd.suffix | Optional suffix after %FTD identifier. | keyword |
+| cisco.ftd.termination_user | AAA name of user requesting termination | keyword |
+| cisco.ftd.threat_category | Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. | keyword |
+| cisco.ftd.threat_level | Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. | keyword |
+| cisco.ftd.username | | keyword |
+| cisco.ftd.webvpn.group_name | The WebVPN group name the user belongs to | keyword |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| client.user.name | Short name or login of the user. | keyword |
+| client.user.name.text | Multi-field of `client.user.name`. | match_only_text |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip |
+| destination.nat.port | Port the source session is translated to by NAT Device. Typically used with load balancers, firewalls, or routers. | long |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| destination.user.name | Short name or login of the user. | keyword |
+| destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.response_code | The DNS response code. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| file.path.text | Multi-field of `file.path`. | match_only_text |
+| file.size | File size in bytes. Only relevant when `file.type` is "file". | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.status_code | HTTP response status code. | long |
+| input.type | Input type. | keyword |
+| labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
+| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
+| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object |
+| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword |
+| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| observer.egress.interface.name | Interface name as reported by the system. | keyword |
+| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ingress.interface.name | Interface name as reported by the system. | keyword |
+| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| observer.product | The product name of the observer. | keyword |
+| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword |
+| observer.vendor | Vendor name of the observer. | keyword |
+| observer.version | Observer version. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| server.user.name | Short name or login of the user. | keyword |
+| server.user.name.text | Multi-field of `server.user.name`. | match_only_text |
+| service.id | Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| source.user.name | Short name or login of the user. | keyword |
+| source.user.name.text | Multi-field of `source.user.name`. | match_only_text |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword |
+| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard |
+| url.full.text | Multi-field of `url.full`. | match_only_text |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| url.password | Password of the request. | keyword |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.port | Port of the request, such as 443. | long |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword |
+| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| url.username | Username of the request. | keyword |
+| user.email | User email address. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+
diff --git a/packages/cisco_ftd/2.2.2/img/cisco.svg b/packages/cisco_ftd/2.2.2/img/cisco.svg
new file mode 100755
index 0000000000..20ebebf197
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/img/cisco.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/cisco_ftd/2.2.2/manifest.yml b/packages/cisco_ftd/2.2.2/manifest.yml
new file mode 100755
index 0000000000..4cef366ed1
--- /dev/null
+++ b/packages/cisco_ftd/2.2.2/manifest.yml
@@ -0,0 +1,34 @@
+format_version: 1.0.0
+name: cisco_ftd
+title: Cisco FTD
+version: 2.2.2
+license: basic
+description: Collect logs from Cisco FTD with Elastic Agent.
+type: integration
+categories:
+ - network
+ - security
+release: ga
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+ - src: /img/cisco.svg
+ title: cisco
+ size: 216x216
+ type: image/svg+xml
+policy_templates:
+ - name: cisco_ftd
+ title: Cisco FTD logs
+ description: Collect logs from Cisco FTD instances
+ inputs:
+ - type: tcp
+ title: Collect logs from Cisco FTD via TCP
+ description: Collecting logs from Cisco FTD via TCP
+ - type: udp
+ title: Collect logs from Cisco FTD via UDP
+ description: Collecting logs from Cisco FTD via UDP
+ - type: logfile
+ title: Collect logs from Cisco FTD via file
+ description: Collecting logs from Cisco FTD via file
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/gcp/1.9.2/changelog.yml b/packages/gcp/1.9.2/changelog.yml
new file mode 100755
index 0000000000..32a450ca10
--- /dev/null
+++ b/packages/gcp/1.9.2/changelog.yml
@@ -0,0 +1,152 @@
+# newer versions go on top
+- version: "1.9.2"
+ changes:
+ - description: Fix GCP auditlog parsing issue on response status
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3583
+- version: "1.9.1"
+ changes:
+ - description: Update readme
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3103
+- version: "1.9.0"
+ changes:
+ - description: Preserve request and response in flattened fields.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3390
+- version: "1.8.0"
+ changes:
+ - description: Add missing `cloud.provider` field.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3274
+- version: "1.7.0"
+ changes:
+ - description: Add dashboards for firewall and vpc flow logs.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3280
+ - description: Add missing mappings for several `event.*` fields.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3280
+- version: "1.6.1"
+ changes:
+ - description: Clarify the GCP privileges required by the Pub/Sub input.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3206
+- version: "1.6.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2779
+- version: "1.5.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.5.0"
+ changes:
+ - description: Improve Google Cloud Platform docs.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2842
+- version: "1.4.2"
+ changes:
+ - description: Remove emtpy values, names with only dots, and invalid client IPs.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2747
+- version: "1.4.1"
+ changes:
+ - description: Fix quoting of the credentials_json value in policy templates.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2712
+- version: "1.4.0"
+ changes:
+ - description: Add gcp.dns integration
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2624
+- version: "1.3.1"
+ changes:
+ - description: Add Ingest Pipeline script to map IANA Protocol Numbers
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2470
+- version: "1.3.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2406
+- version: "1.2.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.2.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2251
+- version: "1.1.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1965
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1818
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1661
+- version: "1.0.0"
+ changes:
+ - description: Move from experimental to GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1568
+ - description: remove experimental from data_sets
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1717
+- version: "0.3.3"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1478
+- version: '0.3.2'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1385
+- version: "0.3.1"
+ changes:
+ - description: Escape special characters in docs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1405
+- version: "0.3.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.2.0"
+ changes:
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1240
+- version: "0.1.0"
+ changes:
+ - description: update to ECS 1.10.0 and adding event.original options
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1045
+- version: "0.0.2"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/846
+- version: "0.0.1"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/459
diff --git a/packages/gcp/1.9.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs
new file mode 100755
index 0000000000..d582de0a80
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/agent/stream/gcp-pubsub.yml.hbs
@@ -0,0 +1,27 @@
+project_id: {{project_id}}
+topic: {{topic}}
+subscription.name: {{subscription_name}}
+{{#if credentials_file}}
+credentials_file: {{credentials_file}}
+{{/if}}
+{{#if credentials_json}}
+credentials_json: '{{credentials_json}}'
+{{/if}}
+{{#if alternative_host}}
+alternative_host: {{alternative_host}}
+{{/if}}
+subscription.create: {{subscription_create}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/gcp/1.9.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..69722b2d4a
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,397 @@
+---
+description: Pipeline for Google Cloud audit logs
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - set:
+ field: gcp.audit.type
+ copy_from: "json.protoPayload.@type"
+ ignore_failure: true
+##
+# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry
+# protoPayload @type must be type.googleapis.com/google.cloud.audit.AuditLog
+##
+ - drop:
+ description: Drop the document if it is not of AuditLog type
+ if: ctx.gcp?.audit?.type != null && ctx.gcp?.audit?.type != 'type.googleapis.com/google.cloud.audit.AuditLog'
+# .insertId
+ - set:
+ field: event.id
+ copy_from: json.insertId
+ if: ctx.json?.insertId != null
+# .logName
+ - rename:
+ field: json.logName
+ target_field: log.logger
+ ignore_missing: true
+# .severity
+ - rename:
+ field: json.severity
+ target_field: log.level
+ ignore_missing: true
+##
+# Extract the type of audit logging data from logName to event.provider
+# https://cloud.google.com/pubsub/docs/audit-logging#log_name
+##
+ - dissect:
+ field: log.logger
+ pattern: "%{}%2F%{event.provider}"
+ ignore_missing: true
+ # NOTE test data fails the spec
+ ignore_failure: true
+
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: cloud.provider
+ value: gcp
+ - date:
+ field: json.timestamp
+ timezone: UTC
+ formats:
+ - ISO8601
+##
+# MonitoredResource
+# .resource
+# MonitoredResource https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource
+##
+ - set:
+ field: cloud.project.id
+ copy_from: json.resource.labels.project_id
+ if: ctx.json?.resource?.labels?.project_id != null
+ - set:
+ field: cloud.instance.id
+ copy_from: json.resource.labels.instance_id
+ if: ctx.json?.resource?.labels?.instance_id != null
+##
+# MonitoredResourceDescriptor type
+# https://cloud.google.com/logging/docs/reference/v2/rest/v2/monitoredResourceDescriptors/list#MonitoredResourceDescriptor
+# resource list values https://cloud.google.com/logging/docs/api/v2/resource-list
+##
+ - set:
+ field: orchestrator.type
+ value: kubernetes
+ if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster')
+ - set:
+ field: orchestrator.cluster.name
+ copy_from: json.resource.labels.cluster_name
+ ignore_empty_value: true
+ if: ctx.json?.resource?.type != null && (ctx.json?.resource?.type == 'k8s_cluster' || ctx.json?.resource?.type == 'gke_cluster')
+ - set:
+ field: _temp.type
+ copy_from: json.protoPayload.resourceName
+ ignore_empty_value: true
+ if: ctx.json?.resource?.type != null && ctx.json?.resource?.type == 'k8s_cluster'
+ - grok:
+ field: _temp.type
+ patterns:
+ - '%{DATA}/%{API_VERSION:orchestrator.api_version}/namespaces/%{DATA:orchestrator.namespace}/%{RESOURCE_TYPE:orchestrator.resource.type}(/%{HOSTNAME:orchestrator.resource.name})?'
+ - '%{DATA}/%{API_VERSION:orchestrator.api_version}/%{RESOURCE_TYPE:orchestrator.resource.type}'
+ - 'apis/%{RESOURCE_TYPE:orchestrator.resource.type}/%{API_VERSION:orchestrator.api_version}'
+ - 'api/%{API_VERSION:orchestrator.api_version}'
+ - '%{RESOURCE_TYPE:orchestrator.resource.type}'
+ pattern_definitions:
+ API_VERSION: (v\d+([a-z]+)?(\d+)?)
+ RESOURCE_TYPE: ([a-z]+((\.[a-z0-9]+)+)?)
+ ignore_missing: true
+
+##
+# AuthenticationInfo
+# .protoPayload.authenticationInfo
+# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo
+##
+# email address of authenticated user (redacted) or service account
+# principalEmail -> client.user.email
+ - rename:
+ field: json.protoPayload.authenticationInfo.principalEmail
+ target_field: client.user.email
+ ignore_missing: true
+# identity of requesting first or third party
+# principalSubject -> client.user.id
+ - rename:
+ field: json.protoPayload.authenticationInfo.principalSubject
+ target_field: client.user.id
+ ignore_missing: true
+ - rename:
+ field: json.protoPayload.authenticationInfo.authoritySelector
+ target_field: gcp.audit.authentication_info.authority_selector
+ ignore_missing: true
+
+# TODO remove - duplicated in client.user.email and client.user.id
+ - set:
+ field: gcp.audit.authentication_info.principal_email
+ copy_from: client.user.email
+ if: ctx.client?.user?.email != null
+ - set:
+ field: gcp.audit.authentication_info.principal_subject
+ copy_from: client.user.id
+ if: ctx.client?.user?.id != null
+##
+# AuthorizationInfo
+# .protoPayload.authorizationInfo
+# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#authorizationinfo
+##
+ - rename:
+ field: json.protoPayload.authorizationInfo
+ target_field: gcp.audit.authorization_info
+ ignore_missing: true
+ - foreach:
+ field: gcp.audit.authorization_info
+ ignore_missing: true
+ ignore_failure: true
+ processor:
+ rename:
+ field: _ingest._value.resourceAttributes
+ target_field: _ingest._value.resource_attributes
+ if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List
+
+##
+# Labels
+# .labels
+##
+ - set:
+ field: gcp.audit.labels
+ copy_from: json.labels
+ if: ctx.json?.labels != null
+##
+# RequestMetadata
+# .protoPayload.requestMetadata
+# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#requestmetadata
+##
+ - convert:
+ if: ctx.json?.protoPayload?.requestMetadata?.callerIp != null && ctx.json?.protoPayload?.requestMetadata?.callerIp != "gce-internal-ip"
+ type: ip
+ field: json.protoPayload.requestMetadata.callerIp
+ target_field: source.ip
+ ignore_missing: true
+ # TODO remove - duplicated in useragent
+ - rename:
+ field: json.protoPayload.requestMetadata.callerSuppliedUserAgent
+ target_field: gcp.audit.request_metadata.caller_supplied_user_agent
+ ignore_missing: true
+ - set:
+ field: user_agent.original
+ value: "{{gcp.audit.request_metadata.caller_supplied_user_agent}}"
+ if: ctx?.gcp?.audit?.request_metadata?.caller_supplied_user_agent != null
+ - user_agent:
+ field: user_agent.original
+ ignore_missing: true
+##
+# LogEntryOperation
+# .operation
+# https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#logentryoperation
+##
+# set only if it is not the same as insertId
+ - set:
+ field: gcp.audit.logentry_operation.id
+ copy_from: json.operation.id
+ if: ctx.json?.operation?.id != null && ctx.event?.id != null && ctx.event?.id != ctx.json?.operation?.id
+ - script:
+ lang: painless
+ description: set event.category and type for long running operation
+ tag: set-event-type-for-long-operations
+ if: ctx.json?.operation != null
+ source: |
+ def first = (ctx.json.operation.first == null) ? false : ctx.json.operation.first;
+ def last = (ctx.json.operation.last == null) ? false : ctx.json.operation.last;
+ if (first && last) {
+ return;
+ }
+ if (ctx.event.category == null) {
+ ctx.event.category = new ArrayList();
+ }
+ if (ctx.event.type == null) {
+ ctx.event.type = new ArrayList();
+ }
+ ctx.event.category.add('session');
+ if (first == true && last == false) {
+ ctx.event.type.add('start');
+ }
+ if (first == false && last == true) {
+ ctx.event.type.add('end');
+ }
+
+# TODO remove duplicate protoPayload.methodName
+ - rename:
+ field: json.protoPayload.methodName
+ target_field: gcp.audit.method_name
+ ignore_missing: true
+ - set:
+ field: event.action
+ value: "{{gcp.audit.method_name}}"
+ if: ctx?.gcp?.audit?.method_name != null
+ - convert:
+ field: json.protoPayload.numResponseItems
+ target_field: gcp.audit.num_response_items
+ type: long
+ ignore_missing: true
+ - set:
+ field: gcp.audit.request
+ copy_from: json.protoPayload.request
+ if: ctx.json?.protoPayload?.request != null
+ - set:
+ field: gcp.audit.response
+ copy_from: json.protoPayload.response
+ if: ctx.json?.protoPayload?.response != null
+ - remove:
+ field: gcp.audit.response.status
+ ignore_missing: true
+ if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map)
+ - rename:
+ field: json.protoPayload.response.status
+ target_field: gcp.audit.response.status_value
+ ignore_missing: true
+ if: ctx.json?.protoPayload?.response?.status != null && !(ctx.json?.protoPayload?.response.status instanceof Map)
+ - rename:
+ field: json.protoPayload.resourceName
+ target_field: gcp.audit.resource_name
+ ignore_missing: true
+ if: ctx.orchestrator?.type != 'kubernetes'
+ - rename:
+ field: json.protoPayload.resourceLocation.currentLocations
+ target_field: gcp.audit.resource_location.current_locations
+ ignore_missing: true
+# TODO remove duplicate json.protoPayload.serviceName
+ - rename:
+ field: json.protoPayload.serviceName
+ target_field: gcp.audit.service_name
+ ignore_missing: true
+ - set:
+ field: service.name
+ value: "{{gcp.audit.service_name}}"
+ if: ctx?.gcp?.audit?.service_name != null
+##
+# .protoPayload.Status
+# https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#Status
+# google.rpc.Code referred in Status can have the following values
+# https://github.com/googleapis/googleapis/blob/master/google/rpc/code.proto
+##
+ - convert:
+ field: json.protoPayload.status.code
+ target_field: gcp.audit.status.code
+ type: long
+ ignore_missing: true
+ - rename:
+ field: json.protoPayload.status.message
+ target_field: gcp.audit.status.message
+ ignore_missing: true
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx.gcp?.audit?.status?.code != null && ctx.gcp?.audit?.status?.code == 0
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx?.gcp?.audit?.status?.code != null && ctx?.gcp?.audit?.status?.code != 0
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted
+ - set:
+ field: event.outcome
+ value: unknown
+ if: ctx?.event?.outcome == null
+
+##
+# if gcp.audit.authorization_info.[0].granted is true then
+# set event.category [network, configuration] and event.type to [access, allowed];
+# Caveat
+# 1. protoPayload.resourceName is a single value while authorization_info[].resource
+# is a list.
+# 2. as per test data authorization_info may not be as per spec.
+##
+ - append:
+ field: event.category
+ value: ['network', 'configuration']
+ if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1
+ - append:
+ field: event.type
+ value: ['access', 'allowed']
+ if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && ctx?.gcp?.audit?.authorization_info[0]?.granted
+ - append:
+ field: event.type
+ value: ['access', 'denied']
+ if: ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted != null && !ctx?.gcp?.audit?.authorization_info[0]?.granted
+
+ # IP Geolocation Lookup
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ # IP Autonomous System (AS) Lookup
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+
+##
+# clean-up
+##
+ - remove:
+ field:
+ - _temp
+ - json
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+ - script:
+ description: Drops null and empty values and dotted keys recursively
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ def m = ((Map) o);
+ def it = m.entrySet().iterator();
+ while (it.hasNext()) {
+ def e = ((Map.Entry) it.next());
+ def key = ((String) e.getKey());
+ def value = e.getValue();
+ Pattern onlyDotsRegex = /^\.+$/;
+ if (onlyDotsRegex.matcher(key).matches() || drop(value)) {
+ it.remove();
+ }
+ }
+ return (m.size() == 0);
+ } else if (o instanceof List) {
+ def l = ((List) o);
+ l.removeIf(v -> drop(v));
+ return (l.length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/gcp/1.9.2/data_stream/audit/fields/agent.yml b/packages/gcp/1.9.2/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..616523c9e1
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/fields/agent.yml
@@ -0,0 +1,199 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/gcp/1.9.2/data_stream/audit/fields/base-fields.yml b/packages/gcp/1.9.2/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..4a7da76510
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: gcp
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: gcp.audit
diff --git a/packages/gcp/1.9.2/data_stream/audit/fields/ecs.yml b/packages/gcp/1.9.2/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..982283187d
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,202 @@
+- description: Container name.
+ name: container.name
+ type: keyword
+- description: Runtime managing this container.
+ name: container.runtime
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+ name: log.logger
+ type: keyword
+- description: |-
+ Original log level of the log event.
+ If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+ Some examples are `warn`, `err`, `i`, `informational`.
+ name: log.level
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: API version being used to carry out the action
+ name: orchestrator.api_version
+ type: keyword
+- description: Name of the cluster.
+ name: orchestrator.cluster.name
+ type: keyword
+- description: URL of the API used to manage the cluster.
+ name: orchestrator.cluster.url
+ type: keyword
+- description: The version of the cluster.
+ name: orchestrator.cluster.version
+ type: keyword
+- description: Namespace in which the action is taking place.
+ name: orchestrator.namespace
+ type: keyword
+- description: Organization affected by the event (for multi-tenant orchestrator setups).
+ name: orchestrator.organization
+ type: keyword
+- description: Name of the resource being acted upon.
+ name: orchestrator.resource.name
+ type: keyword
+- description: Type of resource being acted upon.
+ name: orchestrator.resource.type
+ type: keyword
+- description: Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry).
+ name: orchestrator.type
+ type: keyword
+- description: |-
+ Name of the service data is collected from.
+ The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
+ In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified.
+ name: service.name
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: User email address.
+ name: user.email
+ type: keyword
+- description: Name of the device.
+ name: user_agent.device.name
+ type: keyword
+- description: Name of the user agent.
+ name: user_agent.name
+ type: keyword
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: OS family (such as redhat, debian, freebsd, windows).
+ name: user_agent.os.family
+ type: keyword
+- description: Operating system name, including the version or code name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.os.full
+ type: keyword
+- description: Operating system kernel version as a raw string.
+ name: user_agent.os.kernel
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.os.name
+ type: keyword
+- description: Operating system platform (such centos, ubuntu, windows).
+ name: user_agent.os.platform
+ type: keyword
+- description: Operating system version as a raw string.
+ name: user_agent.os.version
+ type: keyword
+- description: Version of the user agent.
+ name: user_agent.version
+ type: keyword
+- description: User email address.
+ name: client.user.email
+ type: keyword
+- description: Unique identifier of the user.
+ name: client.user.id
+ type: keyword
+- description: Error code describing the error.
+ name: error.code
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
diff --git a/packages/gcp/1.9.2/data_stream/audit/fields/fields.yml b/packages/gcp/1.9.2/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..12064f765e
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/fields/fields.yml
@@ -0,0 +1,115 @@
+- name: gcp.audit
+ type: group
+ fields:
+ - name: type
+ type: keyword
+ description: |
+ Type property.
+ - name: authentication_info
+ type: group
+ fields:
+ - name: principal_email
+ type: keyword
+ description: "The email address of the authenticated user making the request."
+ - name: authority_selector
+ type: keyword
+ description: "The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority."
+ - name: principal_subject
+ type: keyword
+ description: "String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities."
+ - name: authorization_info
+ type: array
+ description: |
+ Authorization information for the operation.
+ fields:
+ - name: permission
+ type: keyword
+ description: "The required IAM permission."
+ - name: granted
+ type: boolean
+ description: "Whether or not authorization for resource and permission was granted."
+ - name: resource
+ type: keyword
+ description: "The resource being accessed, as a REST-style string."
+ - name: resource_attributes
+ type: group
+ fields:
+ - name: service
+ type: keyword
+ description: |
+ The name of the service.
+ - name: name
+ type: keyword
+ description: |
+ The name of the resource.
+ - name: type
+ type: keyword
+ description: |
+ The type of the resource.
+ - name: labels
+ type: flattened
+ description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined."
+ - name: logentry_operation
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: "Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation."
+ - name: producer
+ type: keyword
+ description: "Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique."
+ - name: first
+ type: boolean
+ description: "Optional. Set this to True if this is the first log entry in the operation."
+ - name: last
+ type: boolean
+ description: "Optional. Set this to True if this is the last log entry in the operation."
+ - name: method_name
+ type: keyword
+ description: |
+ The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'.
+ - name: num_response_items
+ type: long
+ description: |
+ The number of items returned from a List or Query API method, if applicable.
+ - name: request
+ type: flattened
+ - name: request_metadata
+ type: group
+ fields:
+ - name: caller_ip
+ type: ip
+ description: "The IP address of the caller."
+ - name: raw.caller_ip
+ type: keyword
+ description: "The raw IP address of the caller."
+ - name: caller_supplied_user_agent
+ type: keyword
+ description: |
+ The user agent of the caller. This information is not authenticated and should be treated accordingly.
+ - name: response
+ type: flattened
+ - name: resource_name
+ type: keyword
+ description: |
+ The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'.
+ - name: resource_location
+ type: group
+ fields:
+ - name: current_locations
+ type: array
+ description: |
+ Current locations of the resource.
+ - name: service_name
+ type: keyword
+ description: |
+ The name of the API service performing the operation. For example, datastore.googleapis.com.
+ - name: status
+ type: group
+ fields:
+ - name: code
+ type: integer
+ description: "The status code, which should be an enum value of google.rpc.Code."
+ - name: message
+ type: keyword
+ description: "A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client."
diff --git a/packages/gcp/1.9.2/data_stream/audit/fields/package-fields.yml b/packages/gcp/1.9.2/data_stream/audit/fields/package-fields.yml
new file mode 100755
index 0000000000..88482fd9c1
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/fields/package-fields.yml
@@ -0,0 +1,63 @@
+- name: gcp
+ type: group
+ fields:
+ - name: destination.instance
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: region
+ type: keyword
+ description: |
+ Region of the VM.
+ - name: zone
+ type: keyword
+ description: |
+ Zone of the VM.
+ - name: destination.vpc
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: vpc_name
+ type: keyword
+ description: |
+ VPC on which the VM is operating.
+ - name: subnetwork_name
+ type: keyword
+ description: |
+ Subnetwork on which the VM is operating.
+ - name: source.instance
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: region
+ type: keyword
+ description: |
+ Region of the VM.
+ - name: zone
+ type: keyword
+ description: |
+ Zone of the VM.
+ - name: source.vpc
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: vpc_name
+ type: keyword
+ description: |
+ VPC on which the VM is operating.
+ - name: subnetwork_name
+ type: keyword
+ description: |
+ Subnetwork on which the VM is operating.
diff --git a/packages/gcp/1.9.2/data_stream/audit/manifest.yml b/packages/gcp/1.9.2/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..0c5919ce10
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/manifest.yml
@@ -0,0 +1,58 @@
+type: logs
+title: Google Cloud Platform (GCP) audit logs
+streams:
+ - input: gcp-pubsub
+ vars:
+ - name: topic
+ type: text
+ title: Topic
+ description: Name of the topic where the logs are written to.
+ multi: false
+ required: true
+ show_user: true
+ default: cloud-logging-audit
+ - name: subscription_name
+ type: text
+ title: Subscription Name
+ description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console.
+ multi: false
+ required: true
+ show_user: true
+ default: filebeat-gcp-audit
+ - name: subscription_create
+ type: bool
+ title: Subscription Create
+ description: If true, the integration will create the subscription on start.
+ multi: false
+ required: true
+ show_user: false
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - gcp-audit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: gcp-pubsub.yml.hbs
+ title: Google Cloud Platform (GCP) audit logs (gcp-pubsub)
+ description: Collect Google Cloud Platform (GCP) audit logs using gcp-pubsub input
diff --git a/packages/gcp/1.9.2/data_stream/audit/sample_event.json b/packages/gcp/1.9.2/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..b5881e272f
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/audit/sample_event.json
@@ -0,0 +1,130 @@
+{
+ "@timestamp": "2019-12-19T00:44:25.051Z",
+ "agent": {
+ "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "client": {
+ "user": {
+ "email": "xxx@xxx.xxx"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "elastic-beats"
+ },
+ "provider": "gcp"
+ },
+ "data_stream": {
+ "dataset": "gcp.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "action": "beta.compute.instances.aggregatedList",
+ "agent_id_status": "verified",
+ "category": [
+ "network",
+ "configuration"
+ ],
+ "created": "2022-05-20T07:25:00.534Z",
+ "dataset": "gcp.audit",
+ "id": "yonau2dg2zi",
+ "ingested": "2022-05-20T07:25:01Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "data_access",
+ "type": [
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authentication_info": {
+ "principal_email": "xxx@xxx.xxx"
+ },
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "compute.instances.list",
+ "resource_attributes": {
+ "name": "projects/elastic-beats",
+ "service": "resourcemanager",
+ "type": "resourcemanager.projects"
+ }
+ }
+ ],
+ "method_name": "beta.compute.instances.aggregatedList",
+ "num_response_items": 61,
+ "request": {
+ "@type": "type.googleapis.com/compute.instances.aggregatedList"
+ },
+ "request_metadata": {
+ "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)"
+ },
+ "resource_location": {
+ "current_locations": [
+ "global"
+ ]
+ },
+ "resource_name": "projects/elastic-beats/global/instances",
+ "response": {
+ "@type": "core.k8s.io/v1.Status",
+ "apiVersion": "v1",
+ "details": {
+ "group": "batch",
+ "kind": "jobs",
+ "name": "gsuite-exporter-1589294700",
+ "uid": "2beff34a-945f-11ea-bacf-42010a80007f"
+ },
+ "kind": "Status",
+ "status": "Success"
+ },
+ "service_name": "compute.googleapis.com",
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "level": "INFO",
+ "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access"
+ },
+ "service": {
+ "name": "compute.googleapis.com"
+ },
+ "source": {
+ "ip": "192.168.1.1"
+ },
+ "tags": [
+ "forwarded",
+ "gcp-audit"
+ ],
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)",
+ "os": {
+ "full": "Mac OS X 10.15",
+ "name": "Mac OS X",
+ "version": "10.15"
+ },
+ "version": "71.0."
+ }
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs
new file mode 100755
index 0000000000..d582de0a80
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/agent/stream/gcp-pubsub.yml.hbs
@@ -0,0 +1,27 @@
+project_id: {{project_id}}
+topic: {{topic}}
+subscription.name: {{subscription_name}}
+{{#if credentials_file}}
+credentials_file: {{credentials_file}}
+{{/if}}
+{{#if credentials_json}}
+credentials_json: '{{credentials_json}}'
+{{/if}}
+{{#if alternative_host}}
+alternative_host: {{alternative_host}}
+{{/if}}
+subscription.create: {{subscription_create}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/gcp/1.9.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..9589af9c48
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,243 @@
+---
+description: Pipeline for Google Cloud DNS logs
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: cloud.provider
+ value: gcp
+ - date:
+ field: json.timestamp
+ timezone: UTC
+ formats:
+ - ISO8601
+ - rename:
+ field: json.logName
+ target_field: log.logger
+ ignore_missing: true
+ - set:
+ field: event.id
+ copy_from: json.insertId
+ ignore_empty_value: true
+ ignore_failure: true
+ - convert:
+ field: json.resource.labels.project_id
+ target_field: cloud.project.id
+ type: string
+ ignore_failure: true
+ - convert:
+ field: json.resource.labels.location
+ target_field: cloud.region
+ type: string
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.authAnswer
+ target_field: gcp.dns.auth_answer
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.destinationIP
+ target_field: gcp.dns.destination_ip
+ ignore_missing: true
+ - set:
+ field: destination.address
+ copy_from: gcp.dns.destination_ip
+ ignore_failure: true
+ - convert:
+ field: gcp.dns.destination_ip
+ target_field: destination.ip
+ type: ip
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.egressError
+ target_field: gcp.dns.egress_error
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.protocol
+ target_field: gcp.dns.protocol
+ ignore_missing: true
+ - set:
+ field: network.transport
+ copy_from: gcp.dns.protocol
+ ignore_failure: true
+ - lowercase:
+ field: network.transport
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.queryName
+ target_field: gcp.dns.query_name
+ ignore_missing: true
+ - set:
+ field: dns.question.name
+ copy_from: gcp.dns.query_name
+ ignore_failure: true
+ - gsub:
+ field: dns.question.name
+ pattern: "[.]$"
+ replacement: ""
+ ignore_failure: true
+ - registered_domain:
+ field: dns.question.name
+ target_field: dns.question
+ - remove:
+ field: dns.question.domain
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.queryType
+ target_field: gcp.dns.query_type
+ ignore_missing: true
+ - set:
+ field: dns.question.type
+ copy_from: gcp.dns.query_type
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.rdata
+ target_field: gcp.dns.rdata
+ ignore_missing: true
+ - script:
+ if: ctx?.gcp?.dns?.rdata != null
+ lang: painless
+ tag: Process DNS RData
+ description: This script processes the DNS RData into `dns.answers` and `dns.resolved_ip`.
+ source: |
+ def rdata = ctx.gcp.dns.rdata;
+
+ def dns_answers = [];
+ def dns_resolved_ip = [];
+
+ // Check for truncated answers.
+ def truncated = rdata.endsWith("...") ? 1 : 0;
+
+ // Process answers.
+ def rdata_answers = /\n/.split(rdata);
+
+ for (def i = 0; i < rdata_answers.length - truncated; i++) {
+ def answer_parts = /\t/.split(rdata_answers[i]);
+
+ // Assign answer parts.
+ def name = answer_parts[0];
+ def ttl = answer_parts[1];
+ def cls = answer_parts[2];
+ def type = answer_parts[3];
+ def data = answer_parts[4];
+
+ // Remove trailing fullstop.
+ if (name.endsWith(".")) {
+ name = name.substring(0, name.length() - 1);
+ }
+
+ if (data.endsWith(".")) {
+ data = data.substring(0, data.length() - 1);
+ }
+
+ // Uppercase type.
+ type = type.toUpperCase();
+
+ dns_answers.add([
+ "name": name,
+ "ttl": ttl,
+ "class": cls,
+ "type": type,
+ "data": data
+ ]);
+
+ if (type == "A" || type == "AAAA") {
+ dns_resolved_ip.add(data);
+ }
+ }
+
+ ctx.dns.answers = dns_answers;
+ ctx.dns.resolved_ip = dns_resolved_ip;
+ - rename:
+ field: json.jsonPayload.responseCode
+ target_field: gcp.dns.response_code
+ ignore_missing: true
+ - set:
+ field: dns.response_code
+ copy_from: gcp.dns.response_code
+ ignore_failure: true
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code == "NOERROR"
+ - set:
+ field: event.outcome
+ value: failure
+ if: ctx?.gcp?.dns?.response_code != null && ctx?.gcp?.dns?.response_code != "NOERROR"
+ - rename:
+ field: json.jsonPayload.serverLatency
+ target_field: gcp.dns.server_latency
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.sourceIP
+ target_field: gcp.dns.source_ip
+ ignore_missing: true
+ - set:
+ field: source.address
+ copy_from: gcp.dns.source_ip
+ ignore_failure: true
+ - convert:
+ field: gcp.dns.source_ip
+ target_field: source.ip
+ type: ip
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.sourceNetwork
+ target_field: gcp.dns.source_network
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.vmInstanceIdString
+ target_field: gcp.dns.vm_instance_id
+ ignore_missing: true
+ - set:
+ field: cloud.instance.id
+ copy_from: gcp.dns.vm_instance_id
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.vmInstanceName
+ target_field: gcp.dns.vm_instance_name
+ ignore_missing: true
+ - set:
+ field: cloud.instance.name
+ copy_from: gcp.dns.vm_instance_name
+ ignore_failure: true
+ - gsub:
+ field: cloud.instance.name
+ pattern: "^.*[.]"
+ replacement: ""
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.vmProjectId
+ target_field: gcp.dns.vm_project_id
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.vmZoneName
+ target_field: gcp.dns.vm_zone_name
+ ignore_missing: true
+ - set:
+ field: cloud.availability_zone
+ copy_from: gcp.dns.vm_zone_name
+ ignore_failure: true
+ - remove:
+ field: json
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/gcp/1.9.2/data_stream/dns/fields/agent.yml b/packages/gcp/1.9.2/data_stream/dns/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/gcp/1.9.2/data_stream/dns/fields/base-fields.yml b/packages/gcp/1.9.2/data_stream/dns/fields/base-fields.yml
new file mode 100755
index 0000000000..bc80931b38
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: gcp
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: gcp.dns
diff --git a/packages/gcp/1.9.2/data_stream/dns/fields/ecs.yml b/packages/gcp/1.9.2/data_stream/dns/fields/ecs.yml
new file mode 100755
index 0000000000..cd7eacb22f
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/fields/ecs.yml
@@ -0,0 +1,126 @@
+- description: |-
+ Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: destination.address
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: |-
+ An array containing an object for each answer section returned by the server.
+ The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
+ Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
+ name: dns.answers
+ type: object
+- description: The class of DNS data contained in this resource record.
+ name: dns.answers.class
+ type: keyword
+- description: |-
+ The data describing the resource.
+ The meaning of this data depends on the type and class of the resource record.
+ name: dns.answers.data
+ type: keyword
+- description: |-
+ The domain name to which this resource record pertains.
+ If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
+ name: dns.answers.name
+ type: keyword
+- description: The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
+ name: dns.answers.ttl
+ type: long
+- description: The type of data contained in this resource record.
+ name: dns.answers.type
+ type: keyword
+- description: |-
+ The name being queried.
+ If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
+ name: dns.question.name
+ type: keyword
+- description: |-
+ The highest registered domain, stripped of the subdomain.
+ For example, the registered domain for "foo.example.com" is "example.com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
+ name: dns.question.registered_domain
+ type: keyword
+- description: |-
+ The subdomain is all of the labels under the registered_domain.
+ If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
+ name: dns.question.subdomain
+ type: keyword
+- description: |-
+ The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com".
+ This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
+ name: dns.question.top_level_domain
+ type: keyword
+- description: The type of record being queried.
+ name: dns.question.type
+ type: keyword
+- description: |-
+ Array containing all IPs seen in `answers.data`.
+ The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
+ name: dns.resolved_ip
+ type: ip
+- description: The DNS response code.
+ name: dns.response_code
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+ name: log.logger
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/gcp/1.9.2/data_stream/dns/fields/fields.yml b/packages/gcp/1.9.2/data_stream/dns/fields/fields.yml
new file mode 100755
index 0000000000..c0a98003d6
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/fields/fields.yml
@@ -0,0 +1,48 @@
+- name: gcp.dns
+ type: group
+ fields:
+ - name: auth_answer
+ type: boolean
+ description: Authoritative answer.
+ - name: destination_ip
+ type: ip
+ description: Destination IP address, only applicable for forwarding cases.
+ - name: egress_error
+ type: keyword
+ description: Egress proxy error.
+ - name: protocol
+ type: keyword
+ description: Protocol TCP or UDP.
+ - name: query_name
+ type: keyword
+ description: DNS query name.
+ - name: query_type
+ type: keyword
+ description: DNS query type.
+ - name: rdata
+ type: keyword
+ description: DNS answer in presentation format, truncated to 260 bytes.
+ - name: response_code
+ type: keyword
+ description: Response code.
+ - name: server_latency
+ type: integer
+ description: Server latency.
+ - name: source_ip
+ type: ip
+ description: Source IP address of the query.
+ - name: source_network
+ type: keyword
+ description: Source network of the query.
+ - name: vm_instance_id
+ type: keyword
+ description: Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs.
+ - name: vm_instance_name
+ type: keyword
+ description: Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs.
+ - name: vm_project_id
+ type: keyword
+ description: Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs.
+ - name: vm_zone_name
+ type: keyword
+ description: Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs.
diff --git a/packages/gcp/1.9.2/data_stream/dns/manifest.yml b/packages/gcp/1.9.2/data_stream/dns/manifest.yml
new file mode 100755
index 0000000000..c8190efa2e
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/manifest.yml
@@ -0,0 +1,58 @@
+type: logs
+title: Google Cloud Platform (GCP) DNS logs
+streams:
+ - input: gcp-pubsub
+ vars:
+ - name: topic
+ type: text
+ title: Topic
+ description: Name of the topic where the logs are written to.
+ multi: false
+ required: true
+ show_user: true
+ default: cloud-logging-dns
+ - name: subscription_name
+ type: text
+ title: Subscription Name
+ description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console.
+ multi: false
+ required: true
+ show_user: true
+ default: filebeat-gcp-dns
+ - name: subscription_create
+ type: bool
+ title: Subscription Create
+ description: If true, the integration will create the subscription on start.
+ multi: false
+ required: true
+ show_user: false
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - gcp-dns
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: gcp-pubsub.yml.hbs
+ title: Google Cloud Platform (GCP) DNS logs (gcp-pubsub)
+ description: Collect Google Cloud Platform (GCP) DNS logs using gcp-pubsub input
diff --git a/packages/gcp/1.9.2/data_stream/dns/sample_event.json b/packages/gcp/1.9.2/data_stream/dns/sample_event.json
new file mode 100755
index 0000000000..10349b6d73
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/dns/sample_event.json
@@ -0,0 +1,100 @@
+{
+ "@timestamp": "2022-01-23T09:16:05.341Z",
+ "agent": {
+ "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "europe-west2-a",
+ "instance": {
+ "id": "8340998530665147",
+ "name": "instance"
+ },
+ "project": {
+ "id": "project"
+ },
+ "provider": "gcp",
+ "region": "europe-west2"
+ },
+ "data_stream": {
+ "dataset": "gcp.dns",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "dns": {
+ "answers": [
+ {
+ "class": "IN",
+ "data": "127.0.0.1",
+ "name": "elastic.co",
+ "ttl": "300",
+ "type": "A"
+ }
+ ],
+ "question": {
+ "name": "elastic.co",
+ "registered_domain": "elastic.co",
+ "top_level_domain": "co",
+ "type": "A"
+ },
+ "resolved_ip": [
+ "127.0.0.1"
+ ],
+ "response_code": "NOERROR"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-05-20T07:25:43.755Z",
+ "dataset": "gcp.dns",
+ "id": "vwroyze8pg7y",
+ "ingested": "2022-05-20T07:25:44Z",
+ "kind": "event",
+ "outcome": "success"
+ },
+ "gcp": {
+ "dns": {
+ "auth_answer": true,
+ "protocol": "UDP",
+ "query_name": "elastic.co.",
+ "query_type": "A",
+ "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1",
+ "response_code": "NOERROR",
+ "server_latency": 14,
+ "source_ip": "10.154.0.3",
+ "source_network": "default",
+ "vm_instance_id": "8340998530665147",
+ "vm_instance_name": "694119234537.instance",
+ "vm_project_id": "project",
+ "vm_zone_name": "europe-west2-a"
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries"
+ },
+ "network": {
+ "transport": "udp"
+ },
+ "source": {
+ "address": "10.154.0.3",
+ "ip": "10.154.0.3"
+ },
+ "tags": [
+ "forwarded",
+ "gcp-dns"
+ ]
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs
new file mode 100755
index 0000000000..d582de0a80
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/agent/stream/gcp-pubsub.yml.hbs
@@ -0,0 +1,27 @@
+project_id: {{project_id}}
+topic: {{topic}}
+subscription.name: {{subscription_name}}
+{{#if credentials_file}}
+credentials_file: {{credentials_file}}
+{{/if}}
+{{#if credentials_json}}
+credentials_json: '{{credentials_json}}'
+{{/if}}
+{{#if alternative_host}}
+alternative_host: {{alternative_host}}
+{{/if}}
+subscription.create: {{subscription_create}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/gcp/1.9.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..7dceda4c2c
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,410 @@
+---
+description: Pipeline for Google Cloud Firewall Logs
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - community_id:
+ source_ip: json.jsonPayload.connection.src_ip
+ source_port: json.jsonPayload.connection.src_port
+ destination_ip: json.jsonPayload.connection.dest_ip
+ destination_port: json.jsonPayload.connection.dest_port
+ iana_number: json.jsonPayload.connection.protocol
+ - date:
+ field: json.timestamp
+ timezone: UTC
+ formats:
+ - ISO8601
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.category
+ value: network
+ - set:
+ field: event.action
+ value: firewall-rule
+ - set:
+ field: cloud.provider
+ value: gcp
+ - rename:
+ field: json.logName
+ target_field: log.logger
+ ignore_missing: true
+ - rename:
+ field: json.resource.labels.subnetwork_name
+ target_field: network.name
+ ignore_missing: true
+ - set:
+ field: event.id
+ copy_from: json.insertId
+ ignore_empty_value: true
+ ignore_failure: true
+ - rename:
+ field: json.jsonPayload.disposition
+ target_field: event.type
+ if: ctx?.json?.jsonPayload?.disposition != null
+ - set:
+ field: event.type
+ value: connection
+ if: ctx?.event?.type != null
+ - lowercase:
+ field: event.type
+ - set:
+ field: network.direction
+ value: inbound
+ if: ctx?.json?.jsonPayload?.rule_details?.direction == "INGRESS"
+ - set:
+ field: network.direction
+ value: outbound
+ if: ctx?.json?.jsonPayload?.rule_details?.direction == "EGRESS"
+ - set:
+ field: network.direction
+ value: unknown
+ if: ctx?.network?.direction == null
+ - rename:
+ field: json.jsonPayload.vpc
+ target_field: json.jsonPayload.src_vpc
+ if: ctx?.network?.direction == "outbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.instance
+ target_field: json.jsonPayload.src_instance
+ if: ctx?.network?.direction == "outbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.location
+ target_field: json.jsonPayload.src_location
+ if: ctx?.network?.direction == "outbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.remote_vpc
+ target_field: json.jsonPayload.dest_vpc
+ if: ctx?.network?.direction == "outbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.remote_instance
+ target_field: json.jsonPayload.dest_instance
+ if: ctx?.network?.direction == "outbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.remote_location
+ target_field: json.jsonPayload.dest_location
+ if: ctx?.network?.direction == "outbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.vpc
+ target_field: json.jsonPayload.dest_vpc
+ if: ctx?.network?.direction == "inbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.instance
+ target_field: json.jsonPayload.dest_instance
+ if: ctx?.network?.direction == "inbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.location
+ target_field: json.jsonPayload.dest_location
+ if: ctx?.network?.direction == "inbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.remote_vpc
+ target_field: json.jsonPayload.src_vpc
+ if: ctx?.network?.direction == "inbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.remote_instance
+ target_field: json.jsonPayload.src_instance
+ if: ctx?.network?.direction == "inbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.remote_location
+ target_field: json.jsonPayload.src_location
+ if: ctx?.network?.direction == "inbound"
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.protocol
+ target_field: network.iana_number
+ ignore_missing: true
+ - convert:
+ field: network.iana_number
+ type: string
+ ignore_missing: true
+ - script:
+ lang: painless
+ ignore_failure: true
+ if: ctx?.network?.iana_number != null
+ source: |
+ def iana_number = ctx.network.iana_number;
+ if (iana_number == '0') {
+ ctx.network.transport = 'hopopt';
+ } else if (iana_number == '1') {
+ ctx.network.transport = 'icmp';
+ } else if (iana_number == '2') {
+ ctx.network.transport = 'igmp';
+ } else if (iana_number == '6') {
+ ctx.network.transport = 'tcp';
+ } else if (iana_number == '8') {
+ ctx.network.transport = 'egp';
+ } else if (iana_number == '17') {
+ ctx.network.transport = 'udp';
+ } else if (iana_number == '47') {
+ ctx.network.transport = 'gre';
+ } else if (iana_number == '50') {
+ ctx.network.transport = 'esp';
+ } else if (iana_number == '58') {
+ ctx.network.transport = 'ipv6-icmp';
+ } else if (iana_number == '112') {
+ ctx.network.transport = 'vrrp';
+ } else if (iana_number == '132') {
+ ctx.network.transport = 'sctp';
+ }
+ - rename:
+ field: json.jsonPayload.connection.dest_ip
+ target_field: destination.address
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.dest_port
+ target_field: destination.port
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.src_ip
+ target_field: source.address
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.src_port
+ target_field: source.port
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_instance.vm_name
+ target_field: source.domain
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_instance.vm_name
+ target_field: destination.domain
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.continent
+ target_field: destination.geo.continent_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.country
+ target_field: destination.geo.country_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.region
+ target_field: destination.geo.region_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.city
+ target_field: destination.geo.city_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.continent
+ target_field: source.geo.continent_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.country
+ target_field: source.geo.country_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.region
+ target_field: source.geo.region_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.city
+ target_field: source.geo.city_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_instance
+ target_field: gcp.destination.instance
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_vpc
+ target_field: gcp.destination.vpc
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_instance
+ target_field: gcp.source.instance
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_vpc
+ target_field: gcp.source.vpc
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.rule_details.reference
+ target_field: rule.name
+ ignore_missing: true
+ - set:
+ field: source.ip
+ value: "{{source.address}}"
+ if: ctx?.source?.address != null
+ ignore_failure: true
+ - set:
+ field: destination.ip
+ value: "{{destination.address}}"
+ if: ctx?.destination?.address != null
+ ignore_failure: true
+ - convert:
+ field: gcp.source.instance.project_id
+ target_field: cloud.project.id
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "outbound"
+ - convert:
+ field: gcp.source.instance.vm_name
+ target_field: cloud.instance.name
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "outbound"
+ - convert:
+ field: gcp.source.instance.region
+ target_field: cloud.region
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "outbound"
+ - convert:
+ field: gcp.source.instance.zone
+ target_field: cloud.availability_zone
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "outbound"
+ - convert:
+ field: gcp.source.vpc.subnetwork_name
+ target_field: network.name
+ type: string
+ ignore_missing: true
+ ignore_failure: true
+ if: ctx?.network?.direction == "outbound"
+ - convert:
+ field: gcp.destination.instance.project_id
+ target_field: cloud.project.id
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "inbound"
+ - convert:
+ field: gcp.destination.instance.vm_name
+ target_field: cloud.instance.name
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "inbound"
+ - convert:
+ field: gcp.destination.instance.region
+ target_field: cloud.region
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "inbound"
+ - convert:
+ field: gcp.destination.instance.zone
+ target_field: cloud.availability_zone
+ type: string
+ ignore_missing: true
+ if: ctx?.network?.direction == "inbound"
+ - convert:
+ field: gcp.destination.vpc.subnetwork_name
+ target_field: network.name
+ type: string
+ ignore_missing: true
+ ignore_failure: true
+ if: ctx?.network?.direction == "inbound"
+ - set:
+ field: network.direction
+ value: internal
+ if: ctx?.gcp?.source?.instance == ctx?.gcp?.destination?.instance
+ - set:
+ field: network.type
+ value: ipv4
+ if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".")
+ - set:
+ field: network.type
+ value: ipv6
+ if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".")
+ - rename:
+ field: json.jsonPayload.rule_details
+ target_field: gcp.firewall.rule_details
+ ignore_missing: true
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ allow_duplicates: false
+ if: ctx?.source?.ip != null && ctx?.source?.ip != ""
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ allow_duplicates: false
+ if: ctx?.destination?.ip != null && ctx?.destination?.ip != ""
+ - remove:
+ field:
+ - gcp.firewall.connection
+ - gcp.firewall.dest_location
+ - gcp.firewall.disposition
+ - gcp.firewall.src_location
+ - json
+ ignore_missing: true
+ # IP Geolocation Lookup
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ field: destination.ip
+ target_field: destination.geo
+ ignore_missing: true
+ # IP Autonomous System (AS) Lookup
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/gcp/1.9.2/data_stream/firewall/fields/agent.yml b/packages/gcp/1.9.2/data_stream/firewall/fields/agent.yml
new file mode 100755
index 0000000000..616523c9e1
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/fields/agent.yml
@@ -0,0 +1,199 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/gcp/1.9.2/data_stream/firewall/fields/base-fields.yml b/packages/gcp/1.9.2/data_stream/firewall/fields/base-fields.yml
new file mode 100755
index 0000000000..93e2a6ab3b
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: gcp
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: gcp.firewall
diff --git a/packages/gcp/1.9.2/data_stream/firewall/fields/ecs.yml b/packages/gcp/1.9.2/data_stream/firewall/fields/ecs.yml
new file mode 100755
index 0000000000..54175f3093
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/fields/ecs.yml
@@ -0,0 +1,240 @@
+- description: Container name.
+ name: container.name
+ type: keyword
+- description: Runtime managing this container.
+ name: container.runtime
+ type: keyword
+- description: |-
+ Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: destination.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: destination.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+ name: log.logger
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+ Learn more at https://github.com/corelight/community-id-spec.
+ name: network.community_id
+ type: keyword
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: Name given by operators to sections of their network.
+ name: network.name
+ type: keyword
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+ The field value must be normalized to lowercase for querying.
+ name: network.type
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: The name of the rule or signature generating the event.
+ name: rule.name
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: source.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/gcp/1.9.2/data_stream/firewall/fields/fields.yml b/packages/gcp/1.9.2/data_stream/firewall/fields/fields.yml
new file mode 100755
index 0000000000..98681562b2
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/fields/fields.yml
@@ -0,0 +1,44 @@
+- name: gcp.firewall
+ type: group
+ fields:
+ - name: rule_details
+ type: group
+ fields:
+ - name: priority
+ type: long
+ description: The priority for the firewall rule.
+ - name: action
+ type: keyword
+ description: Action that the rule performs on match.
+ - name: direction
+ type: keyword
+ description: Direction of traffic that matches this rule.
+ - name: reference
+ type: keyword
+ description: Reference to the firewall rule.
+ - name: source_range
+ type: keyword
+ description: List of source ranges that the firewall rule applies to.
+ - name: destination_range
+ type: keyword
+ description: List of destination ranges that the firewall applies to.
+ - name: source_tag
+ type: keyword
+ description: |
+ List of all the source tags that the firewall rule applies to.
+ - name: target_tag
+ type: keyword
+ description: |
+ List of all the target tags that the firewall rule applies to.
+ - name: ip_port_info
+ type: array
+ description: |
+ List of ip protocols and applicable port ranges for rules.
+ - name: source_service_account
+ type: keyword
+ description: |
+ List of all the source service accounts that the firewall rule applies to.
+ - name: target_service_account
+ type: keyword
+ description: |
+ List of all the target service accounts that the firewall rule applies to.
diff --git a/packages/gcp/1.9.2/data_stream/firewall/fields/package-fields.yml b/packages/gcp/1.9.2/data_stream/firewall/fields/package-fields.yml
new file mode 100755
index 0000000000..88482fd9c1
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/fields/package-fields.yml
@@ -0,0 +1,63 @@
+- name: gcp
+ type: group
+ fields:
+ - name: destination.instance
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: region
+ type: keyword
+ description: |
+ Region of the VM.
+ - name: zone
+ type: keyword
+ description: |
+ Zone of the VM.
+ - name: destination.vpc
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: vpc_name
+ type: keyword
+ description: |
+ VPC on which the VM is operating.
+ - name: subnetwork_name
+ type: keyword
+ description: |
+ Subnetwork on which the VM is operating.
+ - name: source.instance
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: region
+ type: keyword
+ description: |
+ Region of the VM.
+ - name: zone
+ type: keyword
+ description: |
+ Zone of the VM.
+ - name: source.vpc
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: vpc_name
+ type: keyword
+ description: |
+ VPC on which the VM is operating.
+ - name: subnetwork_name
+ type: keyword
+ description: |
+ Subnetwork on which the VM is operating.
diff --git a/packages/gcp/1.9.2/data_stream/firewall/manifest.yml b/packages/gcp/1.9.2/data_stream/firewall/manifest.yml
new file mode 100755
index 0000000000..4d0f663192
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/manifest.yml
@@ -0,0 +1,58 @@
+type: logs
+title: Google Cloud Platform (GCP) firewall logs
+streams:
+ - input: gcp-pubsub
+ vars:
+ - name: topic
+ type: text
+ title: Topic
+ description: Name of the topic where the logs are written to.
+ multi: false
+ required: true
+ show_user: true
+ default: cloud-logging-firewall
+ - name: subscription_name
+ type: text
+ title: Subscription Name
+ description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console.
+ multi: false
+ required: true
+ show_user: true
+ default: filebeat-gcp-firewall
+ - name: subscription_create
+ type: bool
+ title: Subscription Create
+ description: If true, the integration will create the subscription on start.
+ multi: false
+ required: true
+ show_user: false
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - gcp-firewall
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: gcp-pubsub.yml.hbs
+ title: Google Cloud Platform (GCP) firewall logs (gcp-pubsub)
+ description: Collect Google Cloud Platform (GCP) firewall logs using gcp-pubsub input
diff --git a/packages/gcp/1.9.2/data_stream/firewall/sample_event.json b/packages/gcp/1.9.2/data_stream/firewall/sample_event.json
new file mode 100755
index 0000000000..feeb2644cf
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/firewall/sample_event.json
@@ -0,0 +1,120 @@
+{
+ "@timestamp": "2019-10-30T13:52:42.191Z",
+ "agent": {
+ "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "us-east1-b",
+ "project": {
+ "id": "test-beats"
+ },
+ "provider": "gcp",
+ "region": "us-east1"
+ },
+ "data_stream": {
+ "dataset": "gcp.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "10.42.0.2",
+ "domain": "test-windows",
+ "ip": "10.42.0.2",
+ "port": 3389
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "agent_id_status": "verified",
+ "category": "network",
+ "created": "2022-05-20T07:26:27.445Z",
+ "dataset": "gcp.firewall",
+ "id": "1f21ciqfpfssuo",
+ "ingested": "2022-05-20T07:26:28Z",
+ "kind": "event",
+ "type": "connection"
+ },
+ "gcp": {
+ "destination": {
+ "instance": {
+ "project_id": "test-beats",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "test-beats",
+ "subnetwork_name": "windows-isolated",
+ "vpc_name": "windows-isolated"
+ }
+ },
+ "firewall": {
+ "rule_details": {
+ "action": "ALLOW",
+ "direction": "INGRESS",
+ "ip_port_info": [
+ {
+ "ip_protocol": "TCP",
+ "port_range": [
+ "3389"
+ ]
+ }
+ ],
+ "priority": 1000,
+ "source_range": [
+ "0.0.0.0/0"
+ ],
+ "target_tag": [
+ "allow-rdp"
+ ]
+ }
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall"
+ },
+ "network": {
+ "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=",
+ "direction": "inbound",
+ "iana_number": "6",
+ "name": "windows-isolated",
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "related": {
+ "ip": [
+ "192.168.2.126",
+ "10.42.0.2"
+ ]
+ },
+ "rule": {
+ "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp"
+ },
+ "source": {
+ "address": "192.168.2.126",
+ "geo": {
+ "continent_name": "Asia",
+ "country_name": "omn"
+ },
+ "ip": "192.168.2.126",
+ "port": 64853
+ },
+ "tags": [
+ "forwarded",
+ "gcp-firewall"
+ ]
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs b/packages/gcp/1.9.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs
new file mode 100755
index 0000000000..d582de0a80
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/agent/stream/gcp-pubsub.yml.hbs
@@ -0,0 +1,27 @@
+project_id: {{project_id}}
+topic: {{topic}}
+subscription.name: {{subscription_name}}
+{{#if credentials_file}}
+credentials_file: {{credentials_file}}
+{{/if}}
+{{#if credentials_json}}
+credentials_json: '{{credentials_json}}'
+{{/if}}
+{{#if alternative_host}}
+alternative_host: {{alternative_host}}
+{{/if}}
+subscription.create: {{subscription_create}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/1.9.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..594342f345
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,371 @@
+---
+description: Pipeline for Google Cloud VPC Flow Logs
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ - community_id:
+ source_ip: json.jsonPayload.connection.src_ip
+ source_port: json.jsonPayload.connection.src_port
+ destination_ip: json.jsonPayload.connection.dest_ip
+ destination_port: json.jsonPayload.connection.dest_port
+ iana_number: json.jsonPayload.connection.protocol
+ - date:
+ field: json.timestamp
+ timezone: UTC
+ formats:
+ - ISO8601
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.category
+ value: network
+ - set:
+ field: event.type
+ value: connection
+ - set:
+ field: event.id
+ copy_from: json.insertId
+ ignore_empty_value: true
+ ignore_failure: true
+ - set:
+ field: cloud.provider
+ value: gcp
+ - rename:
+ field: json.logName
+ target_field: log.logger
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.dest_ip
+ target_field: destination.address
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.dest_port
+ target_field: destination.port
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.protocol
+ target_field: network.iana_number
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.src_ip
+ target_field: source.address
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.connection.src_port
+ target_field: source.port
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_instance.vm_name
+ target_field: source.domain
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_instance.vm_name
+ target_field: destination.domain
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.bytes_sent
+ target_field: source.bytes
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.packets_sent
+ target_field: source.packets
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.start_time
+ target_field: event.start
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.end_time
+ target_field: event.end
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.continent
+ target_field: destination.geo.continent_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.country
+ target_field: destination.geo.country_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.region
+ target_field: destination.geo.region_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_location.city
+ target_field: destination.geo.city_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.continent
+ target_field: source.geo.continent_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.country
+ target_field: source.geo.country_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.region
+ target_field: source.geo.region_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_location.city
+ target_field: source.geo.city_name
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_instance
+ target_field: gcp.destination.instance
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.dest_vpc
+ target_field: gcp.destination.vpc
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_instance
+ target_field: gcp.source.instance
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload.src_vpc
+ target_field: gcp.source.vpc
+ ignore_missing: true
+ - convert:
+ field: json.jsonPayload.rtt_msec
+ target_field: json.jsonPayload.rtt.ms
+ type: long
+ ignore_missing: true
+ - rename:
+ field: json.jsonPayload
+ target_field: gcp.vpcflow
+ ignore_missing: true
+ - convert:
+ field: source.bytes
+ type: long
+ ignore_missing: true
+ - convert:
+ field: source.packets
+ type: long
+ ignore_missing: true
+ - convert:
+ field: network.iana_number
+ type: string
+ ignore_missing: true
+ - script:
+ lang: painless
+ ignore_failure: true
+ if: ctx?.network?.iana_number != null
+ source: |
+ def iana_number = ctx.network.iana_number;
+ if (iana_number == '0') {
+ ctx.network.transport = 'hopopt';
+ } else if (iana_number == '1') {
+ ctx.network.transport = 'icmp';
+ } else if (iana_number == '2') {
+ ctx.network.transport = 'igmp';
+ } else if (iana_number == '6') {
+ ctx.network.transport = 'tcp';
+ } else if (iana_number == '8') {
+ ctx.network.transport = 'egp';
+ } else if (iana_number == '17') {
+ ctx.network.transport = 'udp';
+ } else if (iana_number == '47') {
+ ctx.network.transport = 'gre';
+ } else if (iana_number == '50') {
+ ctx.network.transport = 'esp';
+ } else if (iana_number == '58') {
+ ctx.network.transport = 'ipv6-icmp';
+ } else if (iana_number == '112') {
+ ctx.network.transport = 'vrrp';
+ } else if (iana_number == '132') {
+ ctx.network.transport = 'sctp';
+ }
+ - remove:
+ field:
+ - gcp.vpcflow.rtt_msec
+ - gcp.vpcflow.connection
+ - gcp.vpcflow.dest_location
+ - gcp.vpcflow.src_location
+ - json
+ ignore_missing: true
+ - set:
+ field: source.ip
+ value: "{{source.address}}"
+ ignore_failure: true
+ if: ctx?.source?.address != null
+ - set:
+ field: destination.ip
+ value: "{{destination.address}}"
+ ignore_failure: true
+ if: ctx?.destination?.address != null
+ - convert:
+ field: gcp.source.instance.project_id
+ target_field: cloud.project.id
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "DEST"
+ - convert:
+ field: gcp.source.instance.vm_name
+ target_field: cloud.instance.name
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "DEST"
+ - convert:
+ field: gcp.source.instance.region
+ target_field: cloud.region
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "DEST"
+ - convert:
+ field: gcp.source.instance.zone
+ target_field: cloud.availability_zone
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "DEST"
+ - convert:
+ field: gcp.source.vpc.subnetwork_name
+ target_field: network.name
+ type: string
+ ignore_missing: true
+ ignore_failure: true
+ if: ctx?.gcp?.vpcflow?.reporter == "DEST"
+ - convert:
+ field: gcp.destination.instance.project_id
+ target_field: cloud.project.id
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "SRC"
+ - convert:
+ field: gcp.destination.instance.vm_name
+ target_field: cloud.instance.name
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "SRC"
+ - convert:
+ field: gcp.destination.instance.region
+ target_field: cloud.region
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "SRC"
+ - convert:
+ field: gcp.destination.instance.zone
+ target_field: cloud.availability_zone
+ type: string
+ ignore_missing: true
+ if: ctx?.gcp?.vpcflow?.reporter == "SRC"
+ - convert:
+ field: gcp.destination.vpc.subnetwork_name
+ target_field: network.name
+ type: string
+ ignore_missing: true
+ ignore_failure: true
+ if: ctx?.gcp?.vpcflow?.reporter == "SRC"
+ - convert:
+ field: source.bytes
+ type: long
+ target_field: network.bytes
+ ignore_missing: true
+ - convert:
+ field: source.packets
+ type: long
+ target_field: network.packets
+ ignore_missing: true
+ - set:
+ field: network.direction
+ value: internal
+ if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance != null
+ - set:
+ field: network.direction
+ value: outbound
+ if: ctx?.gcp?.source?.instance != null && ctx?.gcp?.destination?.instance == null
+ - set:
+ field: network.direction
+ value: inbound
+ if: ctx?.gcp?.source?.instance == null && ctx?.gcp?.destination?.instance != null
+ - set:
+ field: network.direction
+ value: unknown
+ if: ctx?.network?.direction == null
+ - set:
+ field: network.type
+ value: ipv4
+ if: ctx?.source?.ip != null && ctx?.source?.ip.contains(".")
+ - set:
+ field: network.type
+ value: ipv6
+ if: ctx?.source?.ip != null && !ctx?.source?.ip.contains(".")
+ - append:
+ field: related.ip
+ value: "{{source.ip}}"
+ allow_duplicates: false
+ if: ctx?.source?.ip != null && ctx?.source?.ip != ""
+ - append:
+ field: related.ip
+ value: "{{destination.ip}}"
+ allow_duplicates: false
+ if: ctx?.destination?.ip != null && ctx?.destination?.ip != ""
+ # IP Geolocation Lookup
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ field: destination.ip
+ target_field: destination.geo
+ ignore_missing: true
+ # IP Autonomous System (AS) Lookup
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: destination.ip
+ target_field: destination.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - rename:
+ field: destination.as.asn
+ target_field: destination.as.number
+ ignore_missing: true
+ - rename:
+ field: destination.as.organization_name
+ target_field: destination.as.organization.name
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/fields/agent.yml b/packages/gcp/1.9.2/data_stream/vpcflow/fields/agent.yml
new file mode 100755
index 0000000000..616523c9e1
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/fields/agent.yml
@@ -0,0 +1,199 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/fields/base-fields.yml b/packages/gcp/1.9.2/data_stream/vpcflow/fields/base-fields.yml
new file mode 100755
index 0000000000..09f5a3a04a
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: gcp
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: gcp.vpcflow
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/fields/ecs.yml b/packages/gcp/1.9.2/data_stream/vpcflow/fields/ecs.yml
new file mode 100755
index 0000000000..1fb5a0a066
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/fields/ecs.yml
@@ -0,0 +1,262 @@
+- description: Container name.
+ name: container.name
+ type: keyword
+- description: Runtime managing this container.
+ name: container.runtime
+ type: keyword
+- description: |-
+ Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: destination.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: destination.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: destination.as.organization.name
+ type: keyword
+- description: |-
+ The domain name of the destination system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: destination.domain
+ type: keyword
+- description: City name.
+ name: destination.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: destination.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: destination.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: destination.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: destination.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: destination.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: destination.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: destination.geo.region_name
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: Port of the destination.
+ name: destination.port
+ type: long
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: event.end contains the date when the event ended or when the activity was last observed.
+ name: event.end
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: event.start contains the date when the event started or when the activity was first observed.
+ name: event.start
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate.
+ If the event wasn't read from a log file, do not populate this field.
+ name: log.file.path
+ type: keyword
+- description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
+ name: log.logger
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ Total bytes transferred in both directions.
+ If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
+ name: network.bytes
+ type: long
+- description: |-
+ A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
+ Learn more at https://github.com/corelight/community-id-spec.
+ name: network.community_id
+ type: keyword
+- description: |-
+ Direction of the network traffic.
+ Recommended values are:
+ * ingress
+ * egress
+ * inbound
+ * outbound
+ * internal
+ * external
+ * unknown
+
+ When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress".
+ When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external".
+ Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
+ name: network.direction
+ type: keyword
+- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
+ name: network.iana_number
+ type: keyword
+- description: Name given by operators to sections of their network.
+ name: network.name
+ type: keyword
+- description: |-
+ Total packets transferred in both directions.
+ If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
+ name: network.packets
+ type: long
+- description: |-
+ Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
+ The field value must be normalized to lowercase for querying.
+ name: network.transport
+ type: keyword
+- description: |-
+ In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+ The field value must be normalized to lowercase for querying.
+ name: network.type
+ type: keyword
+- description: All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
+ name: related.hash
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: The name of the rule or signature generating the event.
+ name: rule.name
+ type: keyword
+- description: |-
+ Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: source.address
+ type: keyword
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: Bytes sent from the source to the destination.
+ name: source.bytes
+ type: long
+- description: |-
+ The domain name of the source system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: source.domain
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: source.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: Packets sent from the source to the destination.
+ name: source.packets
+ type: long
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/fields/fields.yml b/packages/gcp/1.9.2/data_stream/vpcflow/fields/fields.yml
new file mode 100755
index 0000000000..afd0aca3fa
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/fields/fields.yml
@@ -0,0 +1,11 @@
+- name: gcp.vpcflow
+ type: group
+ fields:
+ - name: reporter
+ type: keyword
+ description: |
+ The side which reported the flow. Can be either 'SRC' or 'DEST'.
+ - name: rtt.ms
+ type: long
+ description: |
+ Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/fields/package-fields.yml b/packages/gcp/1.9.2/data_stream/vpcflow/fields/package-fields.yml
new file mode 100755
index 0000000000..88482fd9c1
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/fields/package-fields.yml
@@ -0,0 +1,63 @@
+- name: gcp
+ type: group
+ fields:
+ - name: destination.instance
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: region
+ type: keyword
+ description: |
+ Region of the VM.
+ - name: zone
+ type: keyword
+ description: |
+ Zone of the VM.
+ - name: destination.vpc
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: vpc_name
+ type: keyword
+ description: |
+ VPC on which the VM is operating.
+ - name: subnetwork_name
+ type: keyword
+ description: |
+ Subnetwork on which the VM is operating.
+ - name: source.instance
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: region
+ type: keyword
+ description: |
+ Region of the VM.
+ - name: zone
+ type: keyword
+ description: |
+ Zone of the VM.
+ - name: source.vpc
+ type: group
+ fields:
+ - name: project_id
+ type: keyword
+ description: |
+ ID of the project containing the VM.
+ - name: vpc_name
+ type: keyword
+ description: |
+ VPC on which the VM is operating.
+ - name: subnetwork_name
+ type: keyword
+ description: |
+ Subnetwork on which the VM is operating.
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/manifest.yml b/packages/gcp/1.9.2/data_stream/vpcflow/manifest.yml
new file mode 100755
index 0000000000..61718d7823
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/manifest.yml
@@ -0,0 +1,58 @@
+type: logs
+title: Google Cloud Platform (GCP) vpcflow logs
+streams:
+ - input: gcp-pubsub
+ vars:
+ - name: topic
+ type: text
+ title: Topic
+ description: Name of the topic where the logs are written to.
+ multi: false
+ required: true
+ show_user: true
+ default: cloud-logging-vpcflow
+ - name: subscription_name
+ type: text
+ title: Subscription Name
+ description: Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console.
+ multi: false
+ required: true
+ show_user: true
+ default: filebeat-gcp-vpcflow
+ - name: subscription_create
+ type: bool
+ title: Subscription Create
+ description: If true, the integration will create the subscription on start.
+ multi: false
+ required: true
+ show_user: false
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - gcp-vpcflow
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: gcp-pubsub.yml.hbs
+ title: Google Cloud Platform (GCP) vpcflow logs (gcp-pubsub)
+ description: Collect Google Cloud Platform (GCP) vpcflow logs using gcp-pubsub input
diff --git a/packages/gcp/1.9.2/data_stream/vpcflow/sample_event.json b/packages/gcp/1.9.2/data_stream/vpcflow/sample_event.json
new file mode 100755
index 0000000000..3d743d26e5
--- /dev/null
+++ b/packages/gcp/1.9.2/data_stream/vpcflow/sample_event.json
@@ -0,0 +1,128 @@
+{
+ "@timestamp": "2019-06-14T03:50:10.845Z",
+ "agent": {
+ "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "us-east1-b",
+ "project": {
+ "id": "my-sample-project"
+ },
+ "provider": "gcp",
+ "region": "us-east1"
+ },
+ "data_stream": {
+ "dataset": "gcp.vpcflow",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "67.43.156.14",
+ "as": {
+ "number": 35908
+ },
+ "domain": "elasticsearch",
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
+ "ip": "67.43.156.14",
+ "port": 9200
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "network",
+ "created": "2022-05-20T07:27:09.739Z",
+ "dataset": "gcp.vpcflow",
+ "end": "2019-06-14T03:49:51.821308944Z",
+ "id": "ut8lbrffooxyp",
+ "ingested": "2022-05-20T07:27:10Z",
+ "kind": "event",
+ "start": "2019-06-14T03:40:08.469099728Z",
+ "type": "connection"
+ },
+ "gcp": {
+ "destination": {
+ "instance": {
+ "project_id": "my-sample-project",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "my-sample-project",
+ "subnetwork_name": "default",
+ "vpc_name": "default"
+ }
+ },
+ "source": {
+ "instance": {
+ "project_id": "my-sample-project",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "my-sample-project",
+ "subnetwork_name": "default",
+ "vpc_name": "default"
+ }
+ },
+ "vpcflow": {
+ "reporter": "SRC",
+ "rtt": {
+ "ms": 3
+ }
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows"
+ },
+ "network": {
+ "bytes": 15169,
+ "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=",
+ "direction": "internal",
+ "iana_number": "6",
+ "name": "default",
+ "packets": 92,
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "related": {
+ "ip": [
+ "10.87.40.76",
+ "67.43.156.14"
+ ]
+ },
+ "source": {
+ "address": "10.87.40.76",
+ "bytes": 15169,
+ "domain": "kibana",
+ "ip": "10.87.40.76",
+ "packets": 92,
+ "port": 33880
+ },
+ "tags": [
+ "forwarded",
+ "gcp-vpcflow"
+ ]
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/docs/README.md b/packages/gcp/1.9.2/docs/README.md
new file mode 100755
index 0000000000..f34f061b86
--- /dev/null
+++ b/packages/gcp/1.9.2/docs/README.md
@@ -0,0 +1,1157 @@
+# Google Cloud Integration
+
+The Google Cloud integration collects and parses Google Cloud [Audit Logs](https://cloud.google.com/logging/docs/audit), [VPC Flow Logs](https://cloud.google.com/vpc/docs/using-flow-logs), [Firewall Rules Logs](https://cloud.google.com/vpc/docs/firewall-rules-logging) and [Cloud DNS Logs](https://cloud.google.com/dns/docs/monitoring) that have been exported from Cloud Logging to a Google Pub/Sub topic sink.
+
+## Authentication
+
+To use this Google Cloud Platform (GCP) integration, you need to set up a
+*Service Account* with a *Role* and a *Service Account Key* to access data on
+your GCP project.
+
+### Service Account
+
+First, you need to [create a Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts). A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources.
+
+The Elastic Agent uses the SA to access data on Google Cloud Platform using the Google APIs.
+
+If you haven't already, this might be a good moment to check out the [best
+practices for securing service
+accounts](https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts)
+guide.
+
+### Role
+
+You need to grant your Service Account (SA) access to Google Cloud Platform
+resources by assigning a role to the account. In order to assign minimal
+privileges, create a custom role that has only the privileges required by Agent.
+Those privileges are:
+
+- `pubsub.subscriptions.consume`
+- `pubsub.subscriptions.create` *
+- `pubsub.subscriptions.get`
+- `pubsub.topics.attachSubscription` *
+
+\* Only required if Agent is expected to create a new subscription. If you
+create the subscriptions yourself you may omit these privileges.
+
+After you have created the custom role, assign the role to your service account.
+
+### Service Account Keys
+
+Now, with your brand new Service Account (SA) with access to Google Cloud Platform (GCP) resources, you need some credentials to associate with it: a Service Account Key.
+
+From the list of SA:
+
+1. Click the one you just created to open the detailed view.
+2. From the Keys section, click "Add key" > "Create new key" and select JSON as the type.
+3. Download and store the generated private key securely (remember, the private key can't be recovered from GCP if lost).
+
+## Configure the Integration Settings
+
+The next step is to configure the general integration settings used for all logs from the supported services (Audit, DNS, Firewall, and VPC Flow).
+
+The "Project Id" and either the "Credentials File" or "Credentials JSON" will need to be provided in the integration UI when adding the Google Cloud Platform integration.
+
+### Project Id
+
+The Project Id is the Google Cloud project ID where your resources exist.
+
+### Credentials File vs Json
+
+Based on your preference, specify the information in either the Credentials File OR the Credentials JSON field.
+
+#### Option 1: Credentials File
+
+Save the JSON file with the private key in a secure location of the file system, and make sure that the Elastic Agent has at least read-only privileges to this file.
+
+Specify the file path in the Elastic Agent integration UI in the "Credentials File" field. For example: `/home/ubuntu/credentials.json`.
+
+#### Option 2: Credentials JSON
+
+Specify the content of the JSON file you downloaded from Google Cloud Platform directly in the Credentials JSON field in the Elastic Agent integration.
+
+#### Recommendations
+
+Elastic recommends using Credentials File, as in this method the credential information doesn’t leave your Google Cloud Platform environment. When using Credentials JSON, the integration stores the info in Elasticsearch, and the access is controlled based on policy permissions or access to underlying Elasticsearch data.
+
+## Logs Collection Configuration
+
+With a properly configured Service Account and the integration setting in place, it's time to start collecting some logs.
+
+### Requirements
+
+You need to create a few dedicated Google Cloud resources before starting, in detail:
+
+- Log Sink
+- Pub/Sub Topic
+- Subscription
+
+Elastic recommends separate Pub/Sub topics for each of the log types so that they can be parsed and stored in a specific data stream.
+
+Here's an example of collecting Audit Logs using a Pub/Sub topic, a subscription, and a Log Router. We will create the resources in the Google Cloud Console and then configure the Google Cloud Platform integration.
+
+### On the Google Cloud Console
+
+At a high level, the steps required are:
+
+- Visit "Logging" > "Log Router" > "Create Sink" and provide a sink name and description.
+- In "Sink destination", select "Cloud Pub/Sub topic" as the sink service. Select an existing topic or "Create a topic". Note the topic name, as it will be provided in the Topic field in the Elastic agent configuration.
+- If you created a new topic, you must remember to go to that topic and create a subscription for it. A subscription directs messages on a topic to subscribers. Note the "Subscription ID", as it will need to be entered in the "Subscription name" field in the integration settings.
+- Under "Choose logs to include in sink", for example add `logName:"cloudaudit.googleapis.com"` in the "Inclusion filter" to include all audit logs.
+
+This is just an example; you will need to create your filter expression to select the log types you want to export to the Pub/Sub topic.
+
+More example filters for different log types:
+
+```text
+#
+# VPC Flow: logs for specific subnet
+#
+resource.type="gce_subnetwork" AND
+log_id("compute.googleapis.com/vpc_flows") AND
+resource.labels.subnetwork_name"=[SUBNET_NAME]"
+
+#
+# Audit: Google Compute Engine firewall rule deletion
+#
+resource.type="gce_firewall_rule" AND
+log_id("cloudaudit.googleapis.com/activity") AND
+protoPayload.methodName:"firewalls.delete"
+
+#
+# DNS: all DNS queries
+#
+resource.type="dns_query"
+
+#
+# Firewall: logs for a given country
+#
+resource.type="gce_subnetwork" AND
+log_id("compute.googleapis.com/firewall") AND
+jsonPayload.remote_location.country=[COUNTRY_ISO_ALPHA_3]
+```
+
+Start working on your query using the Google Cloud [Logs Explorer](https://console.cloud.google.com/logs/query), so you can preview and pinpoint the exact log types you want to forward to your Elastic Stack.
+
+To learn more, please read how to [Build queries in the Logs Explorer](https://cloud.google.com/logging/docs/view/building-queries), and take a look at the [Sample queries using the Logs Explorer](https://cloud.google.com/logging/docs/view/query-library-preview) page in the Google Cloud docs.
+
+### On Kibana
+
+Visit "Management" > "Integrations" > "Installed Integrations" > "Google Cloud Platform" and select the "Integration Policies" tab. Select the integration policy you previously created.
+
+From the list of services, select "Google Cloud Platform (GCP) audit logs (gcp-pubsub)" and:
+
+- On the "Topic" field, specify the "topic name" you noted before on the Google Cloud Console.
+- On the "Subscription Name", specify the short subscription name you noted before on the Google Cloud Console (note: do NOT use the full-blown subscription name made of project/PROJECT_ID/subscriptions/SUBSCRIPTION_ID). Just pick the Subscription ID from the Google Cloud Console).
+- Click on "Save Integration", and make sure the Elastic Agent gets the updated policy.
+
+### Troubleshooting
+
+If you don't see Audit logs showing up, check the Agent logs to see if there are errors.
+
+Common error types:
+
+- Missing roles in the Service Account
+- Misconfigured settings, like "Project Id", "Topic" or "Subscription Name" fields
+
+#### Missing Roles in the Service Account
+
+If your Service Account (SA) does not have the required roles, you might find errors like this one in the `elastic_agent.filebeat` dataset:
+
+```text
+failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = PermissionDenied desc = User not authorized to perform this action.
+```
+
+Solution: make sure your SA has all the required roles.
+
+#### Misconfigured Settings
+
+If you specify the wrong "Topic field" or "Subscription Name", you might find errors like this one in the `elastic_agent.filebeat` dataset:
+
+```text
+[elastic_agent.filebeat][error] failed to subscribe to pub/sub topic: failed to check if subscription exists: rpc error: code = InvalidArgument desc = Invalid resource name given (name=projects/project/subscriptions/projects/project/subscriptions/non-existent-sub). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information.
+```
+
+Solution: double check the integration settings.
+
+## Logs
+
+### Audit
+
+The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.user.email | User email address. | keyword |
+| client.user.id | Unique identifier of the user. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.code | Error code describing the error. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword |
+| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword |
+| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword |
+| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
+| gcp.audit.authorization_info.permission | The required IAM permission. | keyword |
+| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword |
+| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword |
+| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword |
+| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword |
+| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened |
+| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean |
+| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword |
+| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean |
+| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword |
+| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword |
+| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long |
+| gcp.audit.request | | flattened |
+| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip |
+| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword |
+| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword |
+| gcp.audit.resource_location.current_locations | Current locations of the resource. | array |
+| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword |
+| gcp.audit.response | | flattened |
+| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword |
+| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer |
+| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword |
+| gcp.audit.type | Type property. | keyword |
+| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.instance.region | Region of the VM. | keyword |
+| gcp.destination.instance.zone | Zone of the VM. | keyword |
+| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.source.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.instance.region | Region of the VM. | keyword |
+| gcp.source.instance.zone | Zone of the VM. | keyword |
+| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| orchestrator.api_version | API version being used to carry out the action | keyword |
+| orchestrator.cluster.name | Name of the cluster. | keyword |
+| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword |
+| orchestrator.cluster.version | The version of the cluster. | keyword |
+| orchestrator.namespace | Namespace in which the action is taking place. | keyword |
+| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword |
+| orchestrator.resource.name | Name of the resource being acted upon. | keyword |
+| orchestrator.resource.type | Type of resource being acted upon. | keyword |
+| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2019-12-19T00:44:25.051Z",
+ "agent": {
+ "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "client": {
+ "user": {
+ "email": "xxx@xxx.xxx"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "elastic-beats"
+ },
+ "provider": "gcp"
+ },
+ "data_stream": {
+ "dataset": "gcp.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "action": "beta.compute.instances.aggregatedList",
+ "agent_id_status": "verified",
+ "category": [
+ "network",
+ "configuration"
+ ],
+ "created": "2022-05-20T07:25:00.534Z",
+ "dataset": "gcp.audit",
+ "id": "yonau2dg2zi",
+ "ingested": "2022-05-20T07:25:01Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "data_access",
+ "type": [
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authentication_info": {
+ "principal_email": "xxx@xxx.xxx"
+ },
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "compute.instances.list",
+ "resource_attributes": {
+ "name": "projects/elastic-beats",
+ "service": "resourcemanager",
+ "type": "resourcemanager.projects"
+ }
+ }
+ ],
+ "method_name": "beta.compute.instances.aggregatedList",
+ "num_response_items": 61,
+ "request": {
+ "@type": "type.googleapis.com/compute.instances.aggregatedList"
+ },
+ "request_metadata": {
+ "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)"
+ },
+ "resource_location": {
+ "current_locations": [
+ "global"
+ ]
+ },
+ "resource_name": "projects/elastic-beats/global/instances",
+ "response": {
+ "@type": "core.k8s.io/v1.Status",
+ "apiVersion": "v1",
+ "details": {
+ "group": "batch",
+ "kind": "jobs",
+ "name": "gsuite-exporter-1589294700",
+ "uid": "2beff34a-945f-11ea-bacf-42010a80007f"
+ },
+ "kind": "Status",
+ "status": "Success"
+ },
+ "service_name": "compute.googleapis.com",
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "level": "INFO",
+ "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access"
+ },
+ "service": {
+ "name": "compute.googleapis.com"
+ },
+ "source": {
+ "ip": "192.168.1.1"
+ },
+ "tags": [
+ "forwarded",
+ "gcp-audit"
+ ],
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)",
+ "os": {
+ "full": "Mac OS X 10.15",
+ "name": "Mac OS X",
+ "version": "10.15"
+ },
+ "version": "71.0."
+ }
+}
+```
+
+### Firewall
+
+The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.instance.region | Region of the VM. | keyword |
+| gcp.destination.instance.zone | Zone of the VM. | keyword |
+| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword |
+| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword |
+| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword |
+| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array |
+| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long |
+| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword |
+| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword |
+| gcp.source.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.instance.region | Region of the VM. | keyword |
+| gcp.source.instance.zone | Zone of the VM. | keyword |
+| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+An example event for `firewall` looks as following:
+
+```json
+{
+ "@timestamp": "2019-10-30T13:52:42.191Z",
+ "agent": {
+ "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "us-east1-b",
+ "project": {
+ "id": "test-beats"
+ },
+ "provider": "gcp",
+ "region": "us-east1"
+ },
+ "data_stream": {
+ "dataset": "gcp.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "10.42.0.2",
+ "domain": "test-windows",
+ "ip": "10.42.0.2",
+ "port": 3389
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "agent_id_status": "verified",
+ "category": "network",
+ "created": "2022-05-20T07:26:27.445Z",
+ "dataset": "gcp.firewall",
+ "id": "1f21ciqfpfssuo",
+ "ingested": "2022-05-20T07:26:28Z",
+ "kind": "event",
+ "type": "connection"
+ },
+ "gcp": {
+ "destination": {
+ "instance": {
+ "project_id": "test-beats",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "test-beats",
+ "subnetwork_name": "windows-isolated",
+ "vpc_name": "windows-isolated"
+ }
+ },
+ "firewall": {
+ "rule_details": {
+ "action": "ALLOW",
+ "direction": "INGRESS",
+ "ip_port_info": [
+ {
+ "ip_protocol": "TCP",
+ "port_range": [
+ "3389"
+ ]
+ }
+ ],
+ "priority": 1000,
+ "source_range": [
+ "0.0.0.0/0"
+ ],
+ "target_tag": [
+ "allow-rdp"
+ ]
+ }
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall"
+ },
+ "network": {
+ "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=",
+ "direction": "inbound",
+ "iana_number": "6",
+ "name": "windows-isolated",
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "related": {
+ "ip": [
+ "192.168.2.126",
+ "10.42.0.2"
+ ]
+ },
+ "rule": {
+ "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp"
+ },
+ "source": {
+ "address": "192.168.2.126",
+ "geo": {
+ "continent_name": "Asia",
+ "country_name": "omn"
+ },
+ "ip": "192.168.2.126",
+ "port": 64853
+ },
+ "tags": [
+ "forwarded",
+ "gcp-firewall"
+ ]
+}
+```
+
+### VPC Flow
+
+The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.instance.region | Region of the VM. | keyword |
+| gcp.destination.instance.zone | Zone of the VM. | keyword |
+| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.source.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.instance.region | Region of the VM. | keyword |
+| gcp.source.instance.zone | Zone of the VM. | keyword |
+| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword |
+| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+An example event for `vpcflow` looks as following:
+
+```json
+{
+ "@timestamp": "2019-06-14T03:50:10.845Z",
+ "agent": {
+ "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "us-east1-b",
+ "project": {
+ "id": "my-sample-project"
+ },
+ "provider": "gcp",
+ "region": "us-east1"
+ },
+ "data_stream": {
+ "dataset": "gcp.vpcflow",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "67.43.156.14",
+ "as": {
+ "number": 35908
+ },
+ "domain": "elasticsearch",
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
+ "ip": "67.43.156.14",
+ "port": 9200
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "network",
+ "created": "2022-05-20T07:27:09.739Z",
+ "dataset": "gcp.vpcflow",
+ "end": "2019-06-14T03:49:51.821308944Z",
+ "id": "ut8lbrffooxyp",
+ "ingested": "2022-05-20T07:27:10Z",
+ "kind": "event",
+ "start": "2019-06-14T03:40:08.469099728Z",
+ "type": "connection"
+ },
+ "gcp": {
+ "destination": {
+ "instance": {
+ "project_id": "my-sample-project",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "my-sample-project",
+ "subnetwork_name": "default",
+ "vpc_name": "default"
+ }
+ },
+ "source": {
+ "instance": {
+ "project_id": "my-sample-project",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "my-sample-project",
+ "subnetwork_name": "default",
+ "vpc_name": "default"
+ }
+ },
+ "vpcflow": {
+ "reporter": "SRC",
+ "rtt": {
+ "ms": 3
+ }
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows"
+ },
+ "network": {
+ "bytes": 15169,
+ "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=",
+ "direction": "internal",
+ "iana_number": "6",
+ "name": "default",
+ "packets": 92,
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "related": {
+ "ip": [
+ "10.87.40.76",
+ "67.43.156.14"
+ ]
+ },
+ "source": {
+ "address": "10.87.40.76",
+ "bytes": 15169,
+ "domain": "kibana",
+ "ip": "10.87.40.76",
+ "packets": 92,
+ "port": 33880
+ },
+ "tags": [
+ "forwarded",
+ "gcp-vpcflow"
+ ]
+}
+```
+
+### DNS
+
+The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object |
+| dns.answers.class | The class of DNS data contained in this resource record. | keyword |
+| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip |
+| dns.response_code | The DNS response code. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| gcp.dns.auth_answer | Authoritative answer. | boolean |
+| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip |
+| gcp.dns.egress_error | Egress proxy error. | keyword |
+| gcp.dns.protocol | Protocol TCP or UDP. | keyword |
+| gcp.dns.query_name | DNS query name. | keyword |
+| gcp.dns.query_type | DNS query type. | keyword |
+| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword |
+| gcp.dns.response_code | Response code. | keyword |
+| gcp.dns.server_latency | Server latency. | integer |
+| gcp.dns.source_ip | Source IP address of the query. | ip |
+| gcp.dns.source_network | Source network of the query. | keyword |
+| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+An example event for `dns` looks as following:
+
+```json
+{
+ "@timestamp": "2022-01-23T09:16:05.341Z",
+ "agent": {
+ "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "europe-west2-a",
+ "instance": {
+ "id": "8340998530665147",
+ "name": "instance"
+ },
+ "project": {
+ "id": "project"
+ },
+ "provider": "gcp",
+ "region": "europe-west2"
+ },
+ "data_stream": {
+ "dataset": "gcp.dns",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "dns": {
+ "answers": [
+ {
+ "class": "IN",
+ "data": "127.0.0.1",
+ "name": "elastic.co",
+ "ttl": "300",
+ "type": "A"
+ }
+ ],
+ "question": {
+ "name": "elastic.co",
+ "registered_domain": "elastic.co",
+ "top_level_domain": "co",
+ "type": "A"
+ },
+ "resolved_ip": [
+ "127.0.0.1"
+ ],
+ "response_code": "NOERROR"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-05-20T07:25:43.755Z",
+ "dataset": "gcp.dns",
+ "id": "vwroyze8pg7y",
+ "ingested": "2022-05-20T07:25:44Z",
+ "kind": "event",
+ "outcome": "success"
+ },
+ "gcp": {
+ "dns": {
+ "auth_answer": true,
+ "protocol": "UDP",
+ "query_name": "elastic.co.",
+ "query_type": "A",
+ "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1",
+ "response_code": "NOERROR",
+ "server_latency": 14,
+ "source_ip": "10.154.0.3",
+ "source_network": "default",
+ "vm_instance_id": "8340998530665147",
+ "vm_instance_name": "694119234537.instance",
+ "vm_project_id": "project",
+ "vm_zone_name": "europe-west2-a"
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries"
+ },
+ "network": {
+ "transport": "udp"
+ },
+ "source": {
+ "address": "10.154.0.3",
+ "ip": "10.154.0.3"
+ },
+ "tags": [
+ "forwarded",
+ "gcp-dns"
+ ]
+}
+```
diff --git a/packages/gcp/1.9.2/docs/audit.md b/packages/gcp/1.9.2/docs/audit.md
new file mode 100755
index 0000000000..2e8c6995f7
--- /dev/null
+++ b/packages/gcp/1.9.2/docs/audit.md
@@ -0,0 +1,277 @@
+# Audit
+
+## Logs
+
+The `audit` dataset collects audit logs of administrative activities and accesses within your Google Cloud resources.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.user.email | User email address. | keyword |
+| client.user.id | Unique identifier of the user. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.code | Error code describing the error. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| gcp.audit.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword |
+| gcp.audit.authentication_info.principal_email | The email address of the authenticated user making the request. | keyword |
+| gcp.audit.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities. | keyword |
+| gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
+| gcp.audit.authorization_info.permission | The required IAM permission. | keyword |
+| gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword |
+| gcp.audit.authorization_info.resource_attributes.name | The name of the resource. | keyword |
+| gcp.audit.authorization_info.resource_attributes.service | The name of the service. | keyword |
+| gcp.audit.authorization_info.resource_attributes.type | The type of the resource. | keyword |
+| gcp.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | flattened |
+| gcp.audit.logentry_operation.first | Optional. Set this to True if this is the first log entry in the operation. | boolean |
+| gcp.audit.logentry_operation.id | Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation. | keyword |
+| gcp.audit.logentry_operation.last | Optional. Set this to True if this is the last log entry in the operation. | boolean |
+| gcp.audit.logentry_operation.producer | Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique. | keyword |
+| gcp.audit.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. | keyword |
+| gcp.audit.num_response_items | The number of items returned from a List or Query API method, if applicable. | long |
+| gcp.audit.request | | flattened |
+| gcp.audit.request_metadata.caller_ip | The IP address of the caller. | ip |
+| gcp.audit.request_metadata.caller_supplied_user_agent | The user agent of the caller. This information is not authenticated and should be treated accordingly. | keyword |
+| gcp.audit.request_metadata.raw.caller_ip | The raw IP address of the caller. | keyword |
+| gcp.audit.resource_location.current_locations | Current locations of the resource. | array |
+| gcp.audit.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. | keyword |
+| gcp.audit.response | | flattened |
+| gcp.audit.service_name | The name of the API service performing the operation. For example, datastore.googleapis.com. | keyword |
+| gcp.audit.status.code | The status code, which should be an enum value of google.rpc.Code. | integer |
+| gcp.audit.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword |
+| gcp.audit.type | Type property. | keyword |
+| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.instance.region | Region of the VM. | keyword |
+| gcp.destination.instance.zone | Zone of the VM. | keyword |
+| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.source.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.instance.region | Region of the VM. | keyword |
+| gcp.source.instance.zone | Zone of the VM. | keyword |
+| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| orchestrator.api_version | API version being used to carry out the action | keyword |
+| orchestrator.cluster.name | Name of the cluster. | keyword |
+| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword |
+| orchestrator.cluster.version | The version of the cluster. | keyword |
+| orchestrator.namespace | Namespace in which the action is taking place. | keyword |
+| orchestrator.organization | Organization affected by the event (for multi-tenant orchestrator setups). | keyword |
+| orchestrator.resource.name | Name of the resource being acted upon. | keyword |
+| orchestrator.resource.type | Type of resource being acted upon. | keyword |
+| orchestrator.type | Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry). | keyword |
+| service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| user.email | User email address. | keyword |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.kernel | Operating system kernel version as a raw string. | keyword |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2019-12-19T00:44:25.051Z",
+ "agent": {
+ "ephemeral_id": "15ffa48e-049a-4ead-9716-cea0236748c4",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "client": {
+ "user": {
+ "email": "xxx@xxx.xxx"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "elastic-beats"
+ },
+ "provider": "gcp"
+ },
+ "data_stream": {
+ "dataset": "gcp.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "action": "beta.compute.instances.aggregatedList",
+ "agent_id_status": "verified",
+ "category": [
+ "network",
+ "configuration"
+ ],
+ "created": "2022-05-20T07:25:00.534Z",
+ "dataset": "gcp.audit",
+ "id": "yonau2dg2zi",
+ "ingested": "2022-05-20T07:25:01Z",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "data_access",
+ "type": [
+ "access",
+ "allowed"
+ ]
+ },
+ "gcp": {
+ "audit": {
+ "authentication_info": {
+ "principal_email": "xxx@xxx.xxx"
+ },
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "compute.instances.list",
+ "resource_attributes": {
+ "name": "projects/elastic-beats",
+ "service": "resourcemanager",
+ "type": "resourcemanager.projects"
+ }
+ }
+ ],
+ "method_name": "beta.compute.instances.aggregatedList",
+ "num_response_items": 61,
+ "request": {
+ "@type": "type.googleapis.com/compute.instances.aggregatedList"
+ },
+ "request_metadata": {
+ "caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)"
+ },
+ "resource_location": {
+ "current_locations": [
+ "global"
+ ]
+ },
+ "resource_name": "projects/elastic-beats/global/instances",
+ "response": {
+ "@type": "core.k8s.io/v1.Status",
+ "apiVersion": "v1",
+ "details": {
+ "group": "batch",
+ "kind": "jobs",
+ "name": "gsuite-exporter-1589294700",
+ "uid": "2beff34a-945f-11ea-bacf-42010a80007f"
+ },
+ "kind": "Status",
+ "status": "Success"
+ },
+ "service_name": "compute.googleapis.com",
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "level": "INFO",
+ "logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access"
+ },
+ "service": {
+ "name": "compute.googleapis.com"
+ },
+ "source": {
+ "ip": "192.168.1.1"
+ },
+ "tags": [
+ "forwarded",
+ "gcp-audit"
+ ],
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)",
+ "os": {
+ "full": "Mac OS X 10.15",
+ "name": "Mac OS X",
+ "version": "10.15"
+ },
+ "version": "71.0."
+ }
+}
+```
diff --git a/packages/gcp/1.9.2/docs/dns.md b/packages/gcp/1.9.2/docs/dns.md
new file mode 100755
index 0000000000..1d7e31a900
--- /dev/null
+++ b/packages/gcp/1.9.2/docs/dns.md
@@ -0,0 +1,196 @@
+# DNS
+
+## Logs
+
+The `dns` dataset collects queries that name servers resolve for your Virtual Private Cloud (VPC) networks, as well as queries from an external entity directly to a public zone.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object |
+| dns.answers.class | The class of DNS data contained in this resource record. | keyword |
+| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword |
+| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword |
+| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long |
+| dns.answers.type | The type of data contained in this resource record. | keyword |
+| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword |
+| dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
+| dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
+| dns.question.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword |
+| dns.question.type | The type of record being queried. | keyword |
+| dns.resolved_ip | Array containing all IPs seen in `answers.data`. The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. | ip |
+| dns.response_code | The DNS response code. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| gcp.dns.auth_answer | Authoritative answer. | boolean |
+| gcp.dns.destination_ip | Destination IP address, only applicable for forwarding cases. | ip |
+| gcp.dns.egress_error | Egress proxy error. | keyword |
+| gcp.dns.protocol | Protocol TCP or UDP. | keyword |
+| gcp.dns.query_name | DNS query name. | keyword |
+| gcp.dns.query_type | DNS query type. | keyword |
+| gcp.dns.rdata | DNS answer in presentation format, truncated to 260 bytes. | keyword |
+| gcp.dns.response_code | Response code. | keyword |
+| gcp.dns.server_latency | Server latency. | integer |
+| gcp.dns.source_ip | Source IP address of the query. | ip |
+| gcp.dns.source_network | Source network of the query. | keyword |
+| gcp.dns.vm_instance_id | Compute Engine VM instance ID, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| gcp.dns.vm_instance_name | Compute Engine VM instance name, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| gcp.dns.vm_project_id | Google Cloud project ID, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| gcp.dns.vm_zone_name | Google Cloud VM zone, only applicable to queries initiated by Compute Engine VMs. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+An example event for `dns` looks as following:
+
+```json
+{
+ "@timestamp": "2022-01-23T09:16:05.341Z",
+ "agent": {
+ "ephemeral_id": "0d2f83ac-67e6-454f-84eb-859aa503167a",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "europe-west2-a",
+ "instance": {
+ "id": "8340998530665147",
+ "name": "instance"
+ },
+ "project": {
+ "id": "project"
+ },
+ "provider": "gcp",
+ "region": "europe-west2"
+ },
+ "data_stream": {
+ "dataset": "gcp.dns",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "dns": {
+ "answers": [
+ {
+ "class": "IN",
+ "data": "127.0.0.1",
+ "name": "elastic.co",
+ "ttl": "300",
+ "type": "A"
+ }
+ ],
+ "question": {
+ "name": "elastic.co",
+ "registered_domain": "elastic.co",
+ "top_level_domain": "co",
+ "type": "A"
+ },
+ "resolved_ip": [
+ "127.0.0.1"
+ ],
+ "response_code": "NOERROR"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-05-20T07:25:43.755Z",
+ "dataset": "gcp.dns",
+ "id": "vwroyze8pg7y",
+ "ingested": "2022-05-20T07:25:44Z",
+ "kind": "event",
+ "outcome": "success"
+ },
+ "gcp": {
+ "dns": {
+ "auth_answer": true,
+ "protocol": "UDP",
+ "query_name": "elastic.co.",
+ "query_type": "A",
+ "rdata": "elastic.co.\t300\tIN\ta\t127.0.0.1",
+ "response_code": "NOERROR",
+ "server_latency": 14,
+ "source_ip": "10.154.0.3",
+ "source_network": "default",
+ "vm_instance_id": "8340998530665147",
+ "vm_instance_name": "694119234537.instance",
+ "vm_project_id": "project",
+ "vm_zone_name": "europe-west2-a"
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/project/logs/dns.googleapis.com%2Fdns_queries"
+ },
+ "network": {
+ "transport": "udp"
+ },
+ "source": {
+ "address": "10.154.0.3",
+ "ip": "10.154.0.3"
+ },
+ "tags": [
+ "forwarded",
+ "gcp-dns"
+ ]
+}
+```
diff --git a/packages/gcp/1.9.2/docs/firewall.md b/packages/gcp/1.9.2/docs/firewall.md
new file mode 100755
index 0000000000..bfdbb35812
--- /dev/null
+++ b/packages/gcp/1.9.2/docs/firewall.md
@@ -0,0 +1,253 @@
+# Firewall
+
+## Logs
+
+The `firewall` dataset collects logs from Firewall Rules in your Virtual Private Cloud (VPC) networks.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.instance.region | Region of the VM. | keyword |
+| gcp.destination.instance.zone | Zone of the VM. | keyword |
+| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.firewall.rule_details.action | Action that the rule performs on match. | keyword |
+| gcp.firewall.rule_details.destination_range | List of destination ranges that the firewall applies to. | keyword |
+| gcp.firewall.rule_details.direction | Direction of traffic that matches this rule. | keyword |
+| gcp.firewall.rule_details.ip_port_info | List of ip protocols and applicable port ranges for rules. | array |
+| gcp.firewall.rule_details.priority | The priority for the firewall rule. | long |
+| gcp.firewall.rule_details.reference | Reference to the firewall rule. | keyword |
+| gcp.firewall.rule_details.source_range | List of source ranges that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.source_service_account | List of all the source service accounts that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.source_tag | List of all the source tags that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.target_service_account | List of all the target service accounts that the firewall rule applies to. | keyword |
+| gcp.firewall.rule_details.target_tag | List of all the target tags that the firewall rule applies to. | keyword |
+| gcp.source.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.instance.region | Region of the VM. | keyword |
+| gcp.source.instance.zone | Zone of the VM. | keyword |
+| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+An example event for `firewall` looks as following:
+
+```json
+{
+ "@timestamp": "2019-10-30T13:52:42.191Z",
+ "agent": {
+ "ephemeral_id": "1f7633a7-3410-4684-bb55-14b0bd0e2bd4",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "us-east1-b",
+ "project": {
+ "id": "test-beats"
+ },
+ "provider": "gcp",
+ "region": "us-east1"
+ },
+ "data_stream": {
+ "dataset": "gcp.firewall",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "10.42.0.2",
+ "domain": "test-windows",
+ "ip": "10.42.0.2",
+ "port": 3389
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "action": "firewall-rule",
+ "agent_id_status": "verified",
+ "category": "network",
+ "created": "2022-05-20T07:26:27.445Z",
+ "dataset": "gcp.firewall",
+ "id": "1f21ciqfpfssuo",
+ "ingested": "2022-05-20T07:26:28Z",
+ "kind": "event",
+ "type": "connection"
+ },
+ "gcp": {
+ "destination": {
+ "instance": {
+ "project_id": "test-beats",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "test-beats",
+ "subnetwork_name": "windows-isolated",
+ "vpc_name": "windows-isolated"
+ }
+ },
+ "firewall": {
+ "rule_details": {
+ "action": "ALLOW",
+ "direction": "INGRESS",
+ "ip_port_info": [
+ {
+ "ip_protocol": "TCP",
+ "port_range": [
+ "3389"
+ ]
+ }
+ ],
+ "priority": 1000,
+ "source_range": [
+ "0.0.0.0/0"
+ ],
+ "target_tag": [
+ "allow-rdp"
+ ]
+ }
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/test-beats/logs/compute.googleapis.com%2Ffirewall"
+ },
+ "network": {
+ "community_id": "1:OdLB9eXsBDLz8m97ao4LepX6q+4=",
+ "direction": "inbound",
+ "iana_number": "6",
+ "name": "windows-isolated",
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "related": {
+ "ip": [
+ "192.168.2.126",
+ "10.42.0.2"
+ ]
+ },
+ "rule": {
+ "name": "network:windows-isolated/firewall:windows-isolated-allow-rdp"
+ },
+ "source": {
+ "address": "192.168.2.126",
+ "geo": {
+ "continent_name": "Asia",
+ "country_name": "omn"
+ },
+ "ip": "192.168.2.126",
+ "port": 64853
+ },
+ "tags": [
+ "forwarded",
+ "gcp-firewall"
+ ]
+}
+```
diff --git a/packages/gcp/1.9.2/docs/vpcflow.md b/packages/gcp/1.9.2/docs/vpcflow.md
new file mode 100755
index 0000000000..05973abc33
--- /dev/null
+++ b/packages/gcp/1.9.2/docs/vpcflow.md
@@ -0,0 +1,258 @@
+# VPC Flow
+
+## Logs
+
+The `vpcflow` dataset collects logs sent from and received by VM instances, including instances used as GKE nodes.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| container.runtime | Runtime managing this container. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.as.organization.name.text | Multi-field of `destination.as.organization.name`. | match_only_text |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.start | event.start contains the date when the event started or when the activity was first observed. | date |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| gcp.destination.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.instance.region | Region of the VM. | keyword |
+| gcp.destination.instance.zone | Zone of the VM. | keyword |
+| gcp.destination.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.destination.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.destination.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.source.instance.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.instance.region | Region of the VM. | keyword |
+| gcp.source.instance.zone | Zone of the VM. | keyword |
+| gcp.source.vpc.project_id | ID of the project containing the VM. | keyword |
+| gcp.source.vpc.subnetwork_name | Subnetwork on which the VM is operating. | keyword |
+| gcp.source.vpc.vpc_name | VPC on which the VM is operating. | keyword |
+| gcp.vpcflow.reporter | The side which reported the flow. Can be either 'SRC' or 'DEST'. | keyword |
+| gcp.vpcflow.rtt.ms | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword |
+| network.name | Name given by operators to sections of their network. | keyword |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
+
+An example event for `vpcflow` looks as following:
+
+```json
+{
+ "@timestamp": "2019-06-14T03:50:10.845Z",
+ "agent": {
+ "ephemeral_id": "10bb82a5-c0e6-4aed-8589-003f734a7183",
+ "hostname": "docker-fleet-agent",
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "7.17.0"
+ },
+ "cloud": {
+ "availability_zone": "us-east1-b",
+ "project": {
+ "id": "my-sample-project"
+ },
+ "provider": "gcp",
+ "region": "us-east1"
+ },
+ "data_stream": {
+ "dataset": "gcp.vpcflow",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "destination": {
+ "address": "67.43.156.14",
+ "as": {
+ "number": 35908
+ },
+ "domain": "elasticsearch",
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
+ "ip": "67.43.156.14",
+ "port": 9200
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "df142714-8028-4ef0-a80c-4eb03051c084",
+ "snapshot": false,
+ "version": "7.17.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "network",
+ "created": "2022-05-20T07:27:09.739Z",
+ "dataset": "gcp.vpcflow",
+ "end": "2019-06-14T03:49:51.821308944Z",
+ "id": "ut8lbrffooxyp",
+ "ingested": "2022-05-20T07:27:10Z",
+ "kind": "event",
+ "start": "2019-06-14T03:40:08.469099728Z",
+ "type": "connection"
+ },
+ "gcp": {
+ "destination": {
+ "instance": {
+ "project_id": "my-sample-project",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "my-sample-project",
+ "subnetwork_name": "default",
+ "vpc_name": "default"
+ }
+ },
+ "source": {
+ "instance": {
+ "project_id": "my-sample-project",
+ "region": "us-east1",
+ "zone": "us-east1-b"
+ },
+ "vpc": {
+ "project_id": "my-sample-project",
+ "subnetwork_name": "default",
+ "vpc_name": "default"
+ }
+ },
+ "vpcflow": {
+ "reporter": "SRC",
+ "rtt": {
+ "ms": 3
+ }
+ }
+ },
+ "input": {
+ "type": "gcp-pubsub"
+ },
+ "log": {
+ "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows"
+ },
+ "network": {
+ "bytes": 15169,
+ "community_id": "1:NAY9D1IuyJAG+Hm34t3LIlP6/4c=",
+ "direction": "internal",
+ "iana_number": "6",
+ "name": "default",
+ "packets": 92,
+ "transport": "tcp",
+ "type": "ipv4"
+ },
+ "related": {
+ "ip": [
+ "10.87.40.76",
+ "67.43.156.14"
+ ]
+ },
+ "source": {
+ "address": "10.87.40.76",
+ "bytes": 15169,
+ "domain": "kibana",
+ "ip": "10.87.40.76",
+ "packets": 92,
+ "port": 33880
+ },
+ "tags": [
+ "forwarded",
+ "gcp-vpcflow"
+ ]
+}
+```
diff --git a/packages/gcp/1.9.2/img/filebeat-gcp-audit.png b/packages/gcp/1.9.2/img/filebeat-gcp-audit.png
new file mode 100755
index 0000000000..4f68932e9f
Binary files /dev/null and b/packages/gcp/1.9.2/img/filebeat-gcp-audit.png differ
diff --git a/packages/gcp/1.9.2/img/logo_gcp.svg b/packages/gcp/1.9.2/img/logo_gcp.svg
new file mode 100755
index 0000000000..75e139f9b2
--- /dev/null
+++ b/packages/gcp/1.9.2/img/logo_gcp.svg
@@ -0,0 +1,19 @@
+
diff --git a/packages/gcp/1.9.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json b/packages/gcp/1.9.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json
new file mode 100755
index 0000000000..fd857ca086
--- /dev/null
+++ b/packages/gcp/1.9.2/kibana/dashboard/gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf.json
@@ -0,0 +1,67 @@
+{
+ "attributes": {
+ "description": "Overview of the audit log data from Google Cloud.",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":9,\"i\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"w\":48,\"x\":0,\"y\":29},\"panelIndex\":\"95ebbda8-9b00-4b23-b116-72569ea031e3\",\"panelRefName\":\"panel_95ebbda8-9b00-4b23-b116-72569ea031e3\",\"title\":\"Audit Event List\",\"type\":\"search\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"description\":\"\",\"layerListJSON\":\"[{\\\"alpha\\\":1,\\\"id\\\":\\\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\\\",\\\"label\\\":null,\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"sourceDescriptor\\\":{\\\"isAutoSelect\\\":true,\\\"type\\\":\\\"EMS_TMS\\\"},\\\"style\\\":{},\\\"type\\\":\\\"VECTOR_TILE\\\",\\\"visible\\\":true},{\\\"alpha\\\":0.75,\\\"id\\\":\\\"279da950-e9a7-4287-ab37-25906e448455\\\",\\\"joins\\\":[],\\\"label\\\":\\\"Source Locations\\\",\\\"maxZoom\\\":24,\\\"minZoom\\\":0,\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"data_stream.dataset:gcp.audit\\\"},\\\"sourceDescriptor\\\":{\\\"applyGlobalQuery\\\":true,\\\"filterByMapBounds\\\":true,\\\"geoField\\\":\\\"source.geo.location\\\",\\\"id\\\":\\\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\\\",\\\"scalingType\\\":\\\"LIMIT\\\",\\\"sortField\\\":\\\"\\\",\\\"sortOrder\\\":\\\"desc\\\",\\\"tooltipProperties\\\":[],\\\"topHitsSize\\\":1,\\\"type\\\":\\\"ES_SEARCH\\\",\\\"indexPatternId\\\":\\\"logs-*\\\"},\\\"style\\\":{\\\"isTimeAware\\\":true,\\\"properties\\\":{\\\"fillColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#54B399\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"icon\\\":{\\\"options\\\":{\\\"value\\\":\\\"marker\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"iconOrientation\\\":{\\\"options\\\":{\\\"orientation\\\":0},\\\"type\\\":\\\"STATIC\\\"},\\\"iconSize\\\":{\\\"options\\\":{\\\"size\\\":6},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#FFFFFF\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelBorderSize\\\":{\\\"options\\\":{\\\"size\\\":\\\"SMALL\\\"}},\\\"labelColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#000000\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"labelSize\\\":{\\\"options\\\":{\\\"size\\\":14},\\\"type\\\":\\\"STATIC\\\"},\\\"labelText\\\":{\\\"options\\\":{\\\"value\\\":\\\"\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineColor\\\":{\\\"options\\\":{\\\"color\\\":\\\"#41937c\\\"},\\\"type\\\":\\\"STATIC\\\"},\\\"lineWidth\\\":{\\\"options\\\":{\\\"size\\\":1},\\\"type\\\":\\\"STATIC\\\"},\\\"symbolizeAs\\\":{\\\"options\\\":{\\\"value\\\":\\\"circle\\\"}}},\\\"type\\\":\\\"VECTOR\\\"},\\\"type\\\":\\\"VECTOR\\\",\\\"visible\\\":true}]\",\"mapStateJSON\":\"{\\\"center\\\":{\\\"lat\\\":19.94277,\\\"lon\\\":0},\\\"filters\\\":[],\\\"query\\\":{\\\"language\\\":\\\"kuery\\\",\\\"query\\\":\\\"\\\"},\\\"refreshConfig\\\":{\\\"interval\\\":0,\\\"isPaused\\\":false},\\\"settings\\\":{\\\"autoFitToDataBounds\\\":false},\\\"timeFilters\\\":{\\\"from\\\":\\\"now-7d\\\",\\\"to\\\":\\\"now\\\"},\\\"zoom\\\":1.97}\",\"references\":[{\"id\":\"logs-*\",\"name\":\"layer_1_source_index_pattern\",\"type\":\"index-pattern\"}],\"title\":\"Audit Source Locations [Logs GCP]\",\"uiStateJSON\":\"{\\\"isLayerTOCOpen\\\":true,\\\"openTOCDetails\\\":[]}\"},\"enhancements\":{},\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":32.1625,\"lon\":-48.67493,\"zoom\":1.97},\"openTOCDetails\":[]},\"gridData\":{\"h\":15,\"i\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"68d8455e-9e37-48fa-ae7c-ee1022c52dff\",\"title\":\"Audit Source Locations\",\"type\":\"map\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"30d\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":true,\"missingBucketLabel\":\"[unknown]\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"isVislibVis\":true,\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":1,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Audit Events Outcome over time [Logs GCP]\",\"type\":\"histogram\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"9f857560-27dd-4dfc-8b9d-814d0877fa0c\",\"title\":\"Audit Events Outcome over time\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Event Action [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"w\":12,\"x\":0,\"y\":15},\"panelIndex\":\"4e8256f8-eb9f-4d9d-8712-f237d7d653f3\",\"title\":\"Audit Event Action\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.email\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"maxFontSize\":30,\"minFontSize\":10,\"orientation\":\"single\",\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"scale\":\"linear\",\"showLabel\":true},\"title\":\"Audit Top User Email [Logs GCP]\",\"type\":\"tagcloud\",\"uiState\":{}}},\"gridData\":{\"h\":14,\"i\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"w\":12,\"x\":12,\"y\":15},\"panelIndex\":\"c84d3240-c7fe-49cd-9a47-7c4acc95cc3d\",\"title\":\"Audit Top User Email\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user_agent.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit User Agent [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"w\":12,\"x\":24,\"y\":15},\"panelIndex\":\"9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177\",\"title\":\"Audit User Agent\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"gcp.audit.resource_name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":20},\"schema\":\"segment\",\"type\":\"terms\"}],\"savedSearchId\":\"gcp-d88364c0-73a1-11ea-a345-f985c61fe654\",\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":true,\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"kibana_palette\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Audit Resource Name [Logs GCP]\",\"type\":\"pie\",\"uiState\":{\"vis\":{\"legendOpen\":true}}}},\"gridData\":{\"h\":14,\"i\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"w\":12,\"x\":36,\"y\":15},\"panelIndex\":\"80c40a0a-c2f5-4e8b-9268-fa281d46295d\",\"title\":\"Audit Resource Name\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Logs GCP] Audit",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "gcp-48e12760-cbe4-11ec-b519-85ccf621cbbf",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "name": "95ebbda8-9b00-4b23-b116-72569ea031e3:panel_95ebbda8-9b00-4b23-b116-72569ea031e3",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "68d8455e-9e37-48fa-ae7c-ee1022c52dff:layer_1_source_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "name": "9f857560-27dd-4dfc-8b9d-814d0877fa0c:search_0",
+ "type": "search"
+ },
+ {
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "name": "4e8256f8-eb9f-4d9d-8712-f237d7d653f3:search_0",
+ "type": "search"
+ },
+ {
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "name": "c84d3240-c7fe-49cd-9a47-7c4acc95cc3d:search_0",
+ "type": "search"
+ },
+ {
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "name": "9ba4db1f-9ea5-4bb0-b7d2-afc82a7ca177:search_0",
+ "type": "search"
+ },
+ {
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "name": "80c40a0a-c2f5-4e8b-9268-fa281d46295d:search_0",
+ "type": "search"
+ },
+ {
+ "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json b/packages/gcp/1.9.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json
new file mode 100755
index 0000000000..0462344e04
--- /dev/null
+++ b/packages/gcp/1.9.2/kibana/dashboard/gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf.json
@@ -0,0 +1,152 @@
+{
+ "attributes": {
+ "description": "Overview of the firewall log data from Google Cloud.",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# GCP Firewall dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"11594540-5527-4301-aa08-24093d75d4b4\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3a32ec4e-e826-4732-a33c-af6e11d7218e\":{\"columnOrder\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\",\"fc59d35f-50a2-491b-b243-d55c3a2c936b\"],\"columns\":{\"3938f412-fdf3-4714-a1d5-a06e36a8128b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"fc59d35f-50a2-491b-b243-d55c3a2c936b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"3938f412-fdf3-4714-a1d5-a06e36a8128b\"],\"layerId\":\"3a32ec4e-e826-4732-a33c-af6e11d7218e\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"fc59d35f-50a2-491b-b243-d55c3a2c936b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"w\":7,\"x\":0,\"y\":5},\"panelIndex\":\"77c85299-e3b8-4338-9113-a3b56ba741c7\",\"title\":\"GCP Project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"2f350b92-4c75-4171-887e-1787cc418027\":{\"columnOrder\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\",\"e93ea5b6-65da-4993-a462-fb610a41824b\"],\"columns\":{\"772e05df-b7e8-4757-bcbf-35d17f2faec7\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"e93ea5b6-65da-4993-a462-fb610a41824b\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"772e05df-b7e8-4757-bcbf-35d17f2faec7\"],\"layerId\":\"2f350b92-4c75-4171-887e-1787cc418027\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"e93ea5b6-65da-4993-a462-fb610a41824b\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"w\":7,\"x\":7,\"y\":5},\"panelIndex\":\"0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6\",\"title\":\"GCP region\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\":{\"columnOrder\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\",\"95c9e43b-8993-46f0-b21f-09a26f940dbb\"],\"columns\":{\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.direction\"},\"95c9e43b-8993-46f0-b21f-09a26f940dbb\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"1ffd51e6-7ef8-4109-ad72-3d5e90bbdb31\"],\"layerId\":\"654ef7b2-0b28-4fc9-82a4-95e925db36a6\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"95c9e43b-8993-46f0-b21f-09a26f940dbb\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"w\":7,\"x\":14,\"y\":5},\"panelIndex\":\"fe15fb67-185b-426d-a575-86a6570e9b39\",\"title\":\"Rule direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1f9dacfe-adbe-4312-8752-e6ef33190614\":{\"columnOrder\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\",\"513d8907-d730-452a-8949-a1253e54092f\"],\"columns\":{\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"513d8907-d730-452a-8949-a1253e54092f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"513d8907-d730-452a-8949-a1253e54092f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"428cb2ae-d9d0-4f84-8771-9045dc7ad6b2\"],\"layerId\":\"1f9dacfe-adbe-4312-8752-e6ef33190614\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"513d8907-d730-452a-8949-a1253e54092f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"pie\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"w\":7,\"x\":21,\"y\":5},\"panelIndex\":\"5e11178e-7303-48dc-8549-73e80f5c9b2c\",\"title\":\"Rule action\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\":{\"columnOrder\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\",\"6ce82469-1771-4f1a-96af-1387e676492f\"],\"columns\":{\"6ce82469-1771-4f1a-96af-1387e676492f\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.ip_port_info.ip_protocol\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"size\":7},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.ip_port_info.ip_protocol\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"b24ed9f4-2bd9-42fd-8924-f63ad2780146\"],\"layerId\":\"9c02e90f-5fb4-4c58-9c74-bf76f2b246fc\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"6ce82469-1771-4f1a-96af-1387e676492f\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"w\":9,\"x\":28,\"y\":5},\"panelIndex\":\"735c4030-d5b3-459c-9000-427ca5cb9d70\",\"title\":\"Protocols\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\":{\"columnOrder\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\",\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\"],\"columns\":{\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"9162c285-d838-46ea-99c3-54cf59ec1a1d\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Target Tag\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.target_tag\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"9162c285-d838-46ea-99c3-54cf59ec1a1d\"],\"layerId\":\"49f72f3e-4ec2-418f-8183-30f7ca58c8e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"5783f5fa-33c4-407f-8ee6-b0e7d693e993\",\"nestedLegend\":false,\"numberDisplay\":\"percent\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"w\":11,\"x\":37,\"y\":5},\"panelIndex\":\"b8028d6f-bf4e-43a0-b19a-65047c757821\",\"title\":\"Target Tag\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"942bb851-a16a-4422-afaf-8521bb72644f\":{\"columnOrder\":[\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"a2c30dbc-5784-423d-a343-177a03140465\",\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"columns\":{\"a2c30dbc-5784-423d-a343-177a03140465\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.firewall.rule_details.action\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"da23fc0e-33d4-4361-8ddb-67862b6e0951\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":3},\"scale\":\"ordinal\",\"sourceField\":\"gcp.firewall.rule_details.action\"},\"da23fc0e-33d4-4361-8ddb-67862b6e0951\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"da23fc0e-33d4-4361-8ddb-67862b6e0951\"],\"layerId\":\"942bb851-a16a-4422-afaf-8521bb72644f\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"ad5cb314-cb12-40c6-a623-d6ffdf0ee027\",\"xAccessor\":\"a2c30dbc-5784-423d-a343-177a03140465\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":10,\"i\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"w\":48,\"x\":0,\"y\":16},\"panelIndex\":\"63b2dd96-9ce1-43cc-add3-7bc34ff4b296\",\"title\":\"Firewall events over time\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"609d8521-e339-49d2-8564-713fd932c285\":{\"columnOrder\":[\"f9145218-da9e-43c9-9e22-c707834256cc\",\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"columns\":{\"426e0fb0-db17-4e02-8fc8-60d472e450f2\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Priority\",\"operationType\":\"range\",\"params\":{\"maxBars\":\"auto\",\"ranges\":[{\"from\":0,\"label\":\"\",\"to\":1000}],\"type\":\"histogram\"},\"scale\":\"interval\",\"sourceField\":\"gcp.firewall.rule_details.priority\"},\"d2e14e21-2c9b-46b9-8508-288c81cbc712\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"f9145218-da9e-43c9-9e22-c707834256cc\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"VM\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d2e14e21-2c9b-46b9-8508-288c81cbc712\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.instance.name\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"d2e14e21-2c9b-46b9-8508-288c81cbc712\"],\"layerId\":\"609d8521-e339-49d2-8564-713fd932c285\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_horizontal\",\"showGridlines\":false,\"splitAccessor\":\"426e0fb0-db17-4e02-8fc8-60d472e450f2\",\"xAccessor\":\"f9145218-da9e-43c9-9e22-c707834256cc\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_horizontal\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"w\":24,\"x\":0,\"y\":26},\"panelIndex\":\"e9a02bc3-c20c-4a38-8c75-2db4923c60a3\",\"title\":\"Top VMs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1559a734-d79f-47af-95f1-0278d058a38c\":{\"columnOrder\":[\"45e4569d-d389-4118-8079-431dd014760b\",\"d7154085-306d-4cf4-89bf-522a2a4dc723\"],\"columns\":{\"45e4569d-d389-4118-8079-431dd014760b\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of rule.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"rule.name\"},\"d7154085-306d-4cf4-89bf-522a2a4dc723\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Count of records\",\"operationType\":\"count\",\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"45e4569d-d389-4118-8079-431dd014760b\"],\"layerId\":\"1559a734-d79f-47af-95f1-0278d058a38c\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"d7154085-306d-4cf4-89bf-522a2a4dc723\",\"nestedLegend\":false,\"numberDisplay\":\"percent\",\"percentDecimals\":2}],\"shape\":\"treemap\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":13,\"i\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"w\":24,\"x\":24,\"y\":26},\"panelIndex\":\"c704818b-a568-4142-92f0-3ff09f0fb8e6\",\"title\":\"Firewall rules\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Destination Port\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.port\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.port\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"w\":24,\"x\":0,\"y\":39},\"panelIndex\":\"f5d8c4eb-716d-4286-9f82-4cff620b3b11\",\"title\":\"Events between Ports\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"ced29d00-2d8b-43b9-bcc5-361f940b534c\":{\"columnOrder\":[\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\",\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\"],\"columns\":{\"3d150b77-0069-4770-8e55-38e152a4e97c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Destination IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\"},\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Events\",\"operationType\":\"count\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\":{\"customLabel\":true,\"dataType\":\"ip\",\"isBucketed\":true,\"label\":\"Source IP\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.ip\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.firewall\\\" \"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"ced29d00-2d8b-43b9-bcc5-361f940b534c\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"maxLines\":1,\"position\":\"right\",\"shouldTruncate\":true,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"title\":\"Empty Heatmap chart\",\"valueAccessor\":\"4ed872b0-f56b-4d53-b5a6-82d6f177fadc\",\"xAccessor\":\"3d150b77-0069-4770-8e55-38e152a4e97c\",\"yAccessor\":\"8aa7938e-eccd-4b41-8147-ac09a0ba4b1c\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"w\":24,\"x\":24,\"y\":39},\"panelIndex\":\"bfc4e50a-001c-4d8a-9074-8b1c969eabd5\",\"title\":\"Events between IPs\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"w\":24,\"x\":0,\"y\":54},\"panelIndex\":\"899f49c0-9400-452b-b833-5b59e3ad0338\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.firewall\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.firewall\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"w\":24,\"x\":24,\"y\":54},\"panelIndex\":\"6f5213ce-73ea-4438-88e4-b5cb5506a9c9\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"fb39f126-e3c2-4ae0-a484-a39accee7efd\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Logs GCP] Firewall",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "gcp-8a1fb690-cbeb-11ec-b519-85ccf621cbbf",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "77c85299-e3b8-4338-9113-a3b56ba741c7:indexpattern-datasource-layer-3a32ec4e-e826-4732-a33c-af6e11d7218e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0fc7a288-d3c6-4f18-8d0e-ca3c0f66aeb6:indexpattern-datasource-layer-2f350b92-4c75-4171-887e-1787cc418027",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fe15fb67-185b-426d-a575-86a6570e9b39:indexpattern-datasource-layer-654ef7b2-0b28-4fc9-82a4-95e925db36a6",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "5e11178e-7303-48dc-8549-73e80f5c9b2c:indexpattern-datasource-layer-1f9dacfe-adbe-4312-8752-e6ef33190614",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "735c4030-d5b3-459c-9000-427ca5cb9d70:indexpattern-datasource-layer-9c02e90f-5fb4-4c58-9c74-bf76f2b246fc",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "b8028d6f-bf4e-43a0-b19a-65047c757821:indexpattern-datasource-layer-49f72f3e-4ec2-418f-8183-30f7ca58c8e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "63b2dd96-9ce1-43cc-add3-7bc34ff4b296:indexpattern-datasource-layer-942bb851-a16a-4422-afaf-8521bb72644f",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "e9a02bc3-c20c-4a38-8c75-2db4923c60a3:indexpattern-datasource-layer-609d8521-e339-49d2-8564-713fd932c285",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "c704818b-a568-4142-92f0-3ff09f0fb8e6:indexpattern-datasource-layer-1559a734-d79f-47af-95f1-0278d058a38c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "f5d8c4eb-716d-4286-9f82-4cff620b3b11:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "bfc4e50a-001c-4d8a-9074-8b1c969eabd5:indexpattern-datasource-layer-ced29d00-2d8b-43b9-bcc5-361f940b534c",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "899f49c0-9400-452b-b833-5b59e3ad0338:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6f5213ce-73ea-4438-88e4-b5cb5506a9c9:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json b/packages/gcp/1.9.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json
new file mode 100755
index 0000000000..46cef5aac9
--- /dev/null
+++ b/packages/gcp/1.9.2/kibana/dashboard/gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f.json
@@ -0,0 +1,152 @@
+{
+ "attributes": {
+ "description": "Overview of the VPC flow log data from Google Cloud.",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"id\":\"\",\"params\":{\"fontSize\":12,\"markdown\":\"# Google VPC Flow dashboard\",\"openLinksInNewTab\":false},\"title\":\"\",\"type\":\"markdown\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"a6977559-b547-4175-a1aa-f59715042492\",\"w\":40,\"x\":0,\"y\":0},\"panelIndex\":\"a6977559-b547-4175-a1aa-f59715042492\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of gcp.vpcflow.reporter\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"gcp.vpcflow.reporter\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"w\":8,\"x\":40,\"y\":5},\"panelIndex\":\"fd65090b-d291-4771-865d-c5fa77a1b2a2\",\"title\":\"Bytes per reporter\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.project.id\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.project.id\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"w\":8,\"x\":0,\"y\":5},\"panelIndex\":\"4489b109-a7f8-4a9d-b85f-0fe613368eda\",\"title\":\"Bytes per project\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"w\":8,\"x\":8,\"y\":5},\"panelIndex\":\"061ff6b2-a70a-42dc-87fd-45d185b277ac\",\"title\":\"Bytes per sub-network\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of cloud.region\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"cloud.region\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"w\":8,\"x\":16,\"y\":5},\"panelIndex\":\"42eee1cd-e816-4f6e-a700-401e8ff1a2f5\",\"title\":\"Bytes per region / zone\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.geo.continent_name\"},\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.geo.continent_name\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.geo.continent_name\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset : \\\"gcp.vpcflow\\\" \"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a0ef9781-cada-4dac-a5c6-50b6d36aaace\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"w\":8,\"x\":24,\"y\":5},\"panelIndex\":\"9714edf3-3894-4567-b8ec-99b863f4fa74\",\"title\":\"Bytes Source vs. Destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9622b1fb-f543-4d05-b868-366fa865f9e7\":{\"columnOrder\":[\"93e747d6-f202-45f4-9813-129bb91a9306\",\"a5152707-6084-46e1-a5a1-b3eb150a1a05\"],\"columns\":{\"93e747d6-f202-45f4-9813-129bb91a9306\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of network.direction\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"network.direction\"},\"a5152707-6084-46e1-a5a1-b3eb150a1a05\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"layers\":[{\"categoryDisplay\":\"default\",\"groups\":[\"93e747d6-f202-45f4-9813-129bb91a9306\"],\"layerId\":\"9622b1fb-f543-4d05-b868-366fa865f9e7\",\"layerType\":\"data\",\"legendDisplay\":\"default\",\"metric\":\"a5152707-6084-46e1-a5a1-b3eb150a1a05\",\"nestedLegend\":false,\"numberDisplay\":\"value\"}],\"shape\":\"donut\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsPie\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":11,\"i\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"w\":8,\"x\":32,\"y\":5},\"panelIndex\":\"efe8857e-d137-4c24-ad83-dd7ddbea8c9e\",\"title\":\"Bytes per direction\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of source.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"source.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":7,\"i\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"w\":24,\"x\":24,\"y\":46},\"panelIndex\":\"289e8233-5d54-49c7-9b3a-30bab73711bb\",\"title\":\"Sum of bytes per source\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"102a3f02-3222-48bb-8c57-b29990ae1d97\":{\"columnOrder\":[\"d25096dc-6121-497e-b444-42e92618a871\",\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\",\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"columns\":{\"0647e623-e5b9-4b20-afdf-eba0badc2297\":{\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Sum of network.bytes\",\"operationType\":\"sum\",\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"},\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\":{\"dataType\":\"date\",\"isBucketed\":true,\"label\":\"@timestamp\",\"operationType\":\"date_histogram\",\"params\":{\"interval\":\"auto\"},\"scale\":\"interval\",\"sourceField\":\"@timestamp\"},\"d25096dc-6121-497e-b444-42e92618a871\":{\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Top values of destination.domain\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":false,\"orderBy\":{\"columnId\":\"0647e623-e5b9-4b20-afdf-eba0badc2297\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":5},\"scale\":\"ordinal\",\"sourceField\":\"destination.domain\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"fittingFunction\":\"None\",\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"layers\":[{\"accessors\":[\"0647e623-e5b9-4b20-afdf-eba0badc2297\"],\"layerId\":\"102a3f02-3222-48bb-8c57-b29990ae1d97\",\"layerType\":\"data\",\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"splitAccessor\":\"d25096dc-6121-497e-b444-42e92618a871\",\"xAccessor\":\"5cb970e1-fff0-4b8c-8c74-7dc834bd2942\"}],\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"preferredSeriesType\":\"bar_stacked\",\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"valueLabels\":\"hide\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"}}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsXY\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":8,\"i\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"w\":24,\"x\":24,\"y\":53},\"panelIndex\":\"9d413864-ae26-4e79-a93d-df49fbad4913\",\"title\":\"Sum of bytes per destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"attributes\":{\"references\":[{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"logs-*\",\"name\":\"indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"type\":\"index-pattern\"}],\"state\":{\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\":{\"columnOrder\":[\"06178db9-8ae7-4706-b479-29aea6be4d75\",\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\"],\"columns\":{\"06178db9-8ae7-4706-b479-29aea6be4d75\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Source AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"source.as.organization.name\"},\"313bb272-53cc-4d90-890e-d0952e9fd07f\":{\"customLabel\":true,\"dataType\":\"string\",\"isBucketed\":true,\"label\":\"Destination AS Org\",\"operationType\":\"terms\",\"params\":{\"missingBucket\":true,\"orderBy\":{\"columnId\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"type\":\"column\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"size\":10},\"scale\":\"ordinal\",\"sourceField\":\"destination.as.organization.name\"},\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\":{\"customLabel\":true,\"dataType\":\"number\",\"isBucketed\":false,\"label\":\"Total bytes\",\"operationType\":\"sum\",\"params\":{\"format\":{\"id\":\"bytes\",\"params\":{\"decimals\":2}}},\"scale\":\"ratio\",\"sourceField\":\"network.bytes\"}},\"incompleteColumns\":{}}}}},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"visualization\":{\"gridConfig\":{\"isCellLabelVisible\":false,\"isXAxisLabelVisible\":true,\"isYAxisLabelVisible\":true,\"type\":\"lens_heatmap_grid\"},\"layerId\":\"8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97\",\"layerType\":\"data\",\"legend\":{\"isVisible\":false,\"maxLines\":2,\"position\":\"right\",\"shouldTruncate\":false,\"type\":\"lens_heatmap_legendConfig\"},\"palette\":{\"accessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"name\":\"negative\",\"params\":{\"name\":\"negative\",\"rangeMax\":80,\"rangeMin\":0,\"reverse\":false,\"stops\":[{\"color\":\"#fbddd6\",\"stop\":0},{\"color\":\"#f3bbaf\",\"stop\":20},{\"color\":\"#e99a89\",\"stop\":40},{\"color\":\"#db7965\",\"stop\":60},{\"color\":\"#cc5642\",\"stop\":80}]},\"type\":\"palette\"},\"shape\":\"heatmap\",\"valueAccessor\":\"bbc2b648-d5e5-4ee1-baed-be4d1497e963\",\"xAccessor\":\"313bb272-53cc-4d90-890e-d0952e9fd07f\",\"yAccessor\":\"06178db9-8ae7-4706-b479-29aea6be4d75\"}},\"title\":\"\",\"type\":\"lens\",\"visualizationType\":\"lnsHeatmap\"},\"enhancements\":{},\"hidePanelTitles\":false},\"gridData\":{\"h\":15,\"i\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"w\":24,\"x\":24,\"y\":61},\"panelIndex\":\"fcaf1c3c-64a6-47ce-90a2-8226e788c062\",\"title\":\"Sum of bytes between source and destination\",\"type\":\"lens\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.as.organization.name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"w\":24,\"x\":0,\"y\":61},\"panelIndex\":\"eedf536b-4b23-4689-957b-482f4d7a3332\",\"title\":\"Sankey Source to Destination autonomous system (AS) org name\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.domain\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.domain\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination domain\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"w\":24,\"x\":0,\"y\":46},\"panelIndex\":\"69f30a2e-79ff-4615-a83f-0aaf9b466ba7\",\"title\":\"Sankey Source to Destination domain\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.subnetwork_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination subnetwork\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"w\":24,\"x\":0,\"y\":31},\"panelIndex\":\"0f9ac1ed-f75b-4788-a9fe-9277d5e0551a\",\"title\":\"Sankey Source to Destination subnetwork\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.vpc_name\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination VPC\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"w\":24,\"x\":24,\"y\":31},\"panelIndex\":\"4a23ce96-6f3b-4ae0-bec2-dc1594cedef6\",\"title\":\"Sankey Source to Destination VPC\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"source.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"destination.geo.country_iso_code\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination country\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"w\":24,\"x\":0,\"y\":16},\"panelIndex\":\"8700819e-d34e-4ac8-8b65-e053db64f7b8\",\"title\":\"Sankey Source to Destination country\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.vpcflow\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.vpcflow\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"spec\":\"{\\r\\n $schema: https://vega.github.io/schema/vega/v3.0.json\\r\\n data: [\\r\\n {\\r\\n // query ES based on the currently selected time range and filter string\\r\\n name: rawData\\r\\n url: {\\r\\n %context%: true\\r\\n %timefield%: @timestamp\\r\\n index: logs*\\r\\n body: {\\r\\n size: 0\\r\\n aggs: {\\r\\n table: {\\r\\n composite: {\\r\\n size: 10000\\r\\n sources: [\\r\\n {\\r\\n stk1: {\\r\\n terms: {field: \\\"gcp.source.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n {\\r\\n stk2: {\\r\\n terms: {field: \\\"gcp.destination.vpc.project_id\\\"}\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n // From the result, take just the data we are interested in\\r\\n format: {property: \\\"aggregations.table.buckets\\\"}\\r\\n // Convert key.stk1 -\\u003e stk1 for simpler access below\\r\\n transform: [\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk1\\\", as: \\\"stk1\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.key.stk2\\\", as: \\\"stk2\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"datum.doc_count\\\", as: \\\"size\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: nodes\\r\\n source: rawData\\r\\n transform: [\\r\\n // when a country is selected, filter out unrelated data\\r\\n {\\r\\n type: filter\\r\\n expr: !groupSelector || groupSelector.stk1 == datum.stk1 || groupSelector.stk2 == datum.stk2\\r\\n }\\r\\n // Set new key for later lookups - identifies each node\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stk1+datum.stk2\\\", as: \\\"key\\\"}\\r\\n // instead of each table row, create two new rows,\\r\\n // one for the source (stack=stk1) and one for destination node (stack=stk2).\\r\\n // The country code stored in stk1 and stk2 fields is placed into grpId field.\\r\\n {\\r\\n type: fold\\r\\n fields: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n as: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n }\\r\\n // Create a sortkey, different for stk1 and stk2 stacks.\\r\\n // Space separator ensures proper sort order in some corner cases.\\r\\n {\\r\\n type: formula\\r\\n expr: datum.stack == 'stk1' ? datum.stk1+' '+datum.stk2 : datum.stk2+' '+datum.stk1\\r\\n as: sortField\\r\\n }\\r\\n // Calculate y0 and y1 positions for stacking nodes one on top of the other,\\r\\n // independently for each stack, and ensuring they are in the proper order,\\r\\n // alphabetical from the top (reversed on the y axis)\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"sortField\\\", order: \\\"descending\\\"}\\r\\n field: size\\r\\n }\\r\\n // calculate vertical center point for each node, used to draw edges\\r\\n {type: \\\"formula\\\", expr: \\\"(datum.y0+datum.y1)/2\\\", as: \\\"yc\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: groups\\r\\n source: nodes\\r\\n transform: [\\r\\n // combine all nodes into country groups, summing up the doc counts\\r\\n {\\r\\n type: aggregate\\r\\n groupby: [\\\"stack\\\", \\\"grpId\\\"]\\r\\n fields: [\\\"size\\\"]\\r\\n ops: [\\\"sum\\\"]\\r\\n as: [\\\"total\\\"]\\r\\n }\\r\\n // re-calculate the stacking y0,y1 values\\r\\n {\\r\\n type: stack\\r\\n groupby: [\\\"stack\\\"]\\r\\n sort: {field: \\\"grpId\\\", order: \\\"descending\\\"}\\r\\n field: total\\r\\n }\\r\\n // project y0 and y1 values to screen coordinates\\r\\n // doing it once here instead of doing it several times in marks\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y0)\\\", as: \\\"scaledY0\\\"}\\r\\n {type: \\\"formula\\\", expr: \\\"scale('y', datum.y1)\\\", as: \\\"scaledY1\\\"}\\r\\n // boolean flag if the label should be on the right of the stack\\r\\n {type: \\\"formula\\\", expr: \\\"datum.stack == 'stk1'\\\", as: \\\"rightLabel\\\"}\\r\\n // Calculate traffic percentage for this country using \\\"y\\\" scale\\r\\n // domain upper bound, which represents the total traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.total/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n {\\r\\n // This is a temp lookup table with all the 'stk2' stack nodes\\r\\n name: destinationNodes\\r\\n source: nodes\\r\\n transform: [\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk2'\\\"}\\r\\n ]\\r\\n }\\r\\n {\\r\\n name: edges\\r\\n source: nodes\\r\\n transform: [\\r\\n // we only want nodes from the left stack\\r\\n {type: \\\"filter\\\", expr: \\\"datum.stack == 'stk1'\\\"}\\r\\n // find corresponding node from the right stack, keep it as \\\"target\\\"\\r\\n {\\r\\n type: lookup\\r\\n from: destinationNodes\\r\\n key: key\\r\\n fields: [\\\"key\\\"]\\r\\n as: [\\\"target\\\"]\\r\\n }\\r\\n // calculate SVG link path between stk1 and stk2 stacks for the node pair\\r\\n {\\r\\n type: linkpath\\r\\n orient: horizontal\\r\\n shape: diagonal\\r\\n sourceY: {expr: \\\"scale('y', datum.yc)\\\"}\\r\\n sourceX: {expr: \\\"scale('x', 'stk1') + bandwidth('x')\\\"}\\r\\n targetY: {expr: \\\"scale('y', datum.target.yc)\\\"}\\r\\n targetX: {expr: \\\"scale('x', 'stk2')\\\"}\\r\\n }\\r\\n // A little trick to calculate the thickness of the line.\\r\\n // The value needs to be the same as the hight of the node, but scaling\\r\\n // size to screen's height gives inversed value because screen's Y\\r\\n // coordinate goes from the top to the bottom, whereas the graph's Y=0\\r\\n // is at the bottom. So subtracting scaled doc count from screen height\\r\\n // (which is the \\\"lower\\\" bound of the \\\"y\\\" scale) gives us the right value\\r\\n {\\r\\n type: formula\\r\\n expr: range('y')[0]-scale('y', datum.size)\\r\\n as: strokeWidth\\r\\n }\\r\\n // Tooltip needs individual link's percentage of all traffic\\r\\n {\\r\\n type: formula\\r\\n expr: datum.size/domain('y')[1]\\r\\n as: percentage\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n scales: [\\r\\n {\\r\\n // calculates horizontal stack positioning\\r\\n name: x\\r\\n type: band\\r\\n range: width\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n paddingOuter: 0.05\\r\\n paddingInner: 0.95\\r\\n }\\r\\n {\\r\\n // this scale goes up as high as the highest y1 value of all nodes\\r\\n name: y\\r\\n type: linear\\r\\n range: height\\r\\n domain: {data: \\\"nodes\\\", field: \\\"y1\\\"}\\r\\n }\\r\\n {\\r\\n // use rawData to ensure the colors stay the same when clicking.\\r\\n name: color\\r\\n type: ordinal\\r\\n range: category\\r\\n domain: {data: \\\"rawData\\\", fields: [\\\"stk1\\\", \\\"stk2\\\"]}\\r\\n }\\r\\n {\\r\\n // this scale is used to map internal ids (stk1, stk2) to stack names\\r\\n name: stackNames\\r\\n type: ordinal\\r\\n range: [\\\"Source\\\", \\\"Destination\\\"]\\r\\n domain: [\\\"stk1\\\", \\\"stk2\\\"]\\r\\n }\\r\\n ]\\r\\n axes: [\\r\\n {\\r\\n // x axis should use custom label formatting to print proper stack names\\r\\n orient: bottom\\r\\n scale: x\\r\\n encode: {\\r\\n labels: {\\r\\n update: {\\r\\n text: {scale: \\\"stackNames\\\", field: \\\"value\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n {orient: \\\"left\\\", scale: \\\"y\\\"}\\r\\n ]\\r\\n marks: [\\r\\n {\\r\\n // draw the connecting line between stacks\\r\\n type: path\\r\\n name: edgeMark\\r\\n from: {data: \\\"edges\\\"}\\r\\n // this prevents some autosizing issues with large strokeWidth for paths\\r\\n clip: true\\r\\n encode: {\\r\\n update: {\\r\\n // By default use color of the left node, except when showing traffic\\r\\n // from just one country, in which case use destination color.\\r\\n stroke: [\\r\\n {\\r\\n test: groupSelector \\u0026\\u0026 groupSelector.stack=='stk1'\\r\\n scale: color\\r\\n field: stk2\\r\\n }\\r\\n {scale: \\\"color\\\", field: \\\"stk1\\\"}\\r\\n ]\\r\\n strokeWidth: {field: \\\"strokeWidth\\\"}\\r\\n path: {field: \\\"path\\\"}\\r\\n // when showing all traffic, and hovering over a country,\\r\\n // highlight the traffic from that country.\\r\\n strokeOpacity: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 0.9 : 0.3\\r\\n }\\r\\n // Ensure that the hover-selected edges show on top\\r\\n zindex: {\\r\\n signal: !groupSelector \\u0026\\u0026 (groupHover.stk1 == datum.stk1 || groupHover.stk2 == datum.stk2) ? 1 : 0\\r\\n }\\r\\n // format tooltip string\\r\\n tooltip: {\\r\\n signal: datum.stk1 + ' \\u0026#x2192; ' + datum.stk2 + ' ' + format(datum.size, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n // Simple mouseover highlighting of a single line\\r\\n hover: {\\r\\n strokeOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw stack groups (countries)\\r\\n type: rect\\r\\n name: groupMark\\r\\n from: {data: \\\"groups\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n fill: {scale: \\\"color\\\", field: \\\"grpId\\\"}\\r\\n width: {scale: \\\"x\\\", band: 1}\\r\\n }\\r\\n update: {\\r\\n x: {scale: \\\"x\\\", field: \\\"stack\\\"}\\r\\n y: {field: \\\"scaledY0\\\"}\\r\\n y2: {field: \\\"scaledY1\\\"}\\r\\n fillOpacity: {value: 0.6}\\r\\n tooltip: {\\r\\n signal: datum.grpId + ' ' + format(datum.total, ',.0f') + ' (' + format(datum.percentage, '.1%') + ')'\\r\\n }\\r\\n }\\r\\n hover: {\\r\\n fillOpacity: {value: 1}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // draw country code labels on the inner side of the stack\\r\\n type: text\\r\\n from: {data: \\\"groups\\\"}\\r\\n // don't process events for the labels - otherwise line mouseover is unclean\\r\\n interactive: false\\r\\n encode: {\\r\\n update: {\\r\\n // depending on which stack it is, position x with some padding\\r\\n x: {\\r\\n signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\\r\\n }\\r\\n // middle of the group\\r\\n yc: {signal: \\\"(datum.scaledY0 + datum.scaledY1)/2\\\"}\\r\\n align: {signal: \\\"datum.rightLabel ? 'left' : 'right'\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n // only show text label if the group's height is large enough\\r\\n text: {signal: \\\"abs(datum.scaledY0-datum.scaledY1) \\u003e 13 ? datum.grpId : ''\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n {\\r\\n // Create a \\\"show all\\\" button. Shown only when a country is selected.\\r\\n type: group\\r\\n data: [\\r\\n // We need to make the button show only when groupSelector signal is true.\\r\\n // Each mark is drawn as many times as there are elements in the backing data.\\r\\n // Which means that if values list is empty, it will not be drawn.\\r\\n // Here I create a data source with one empty object, and filter that list\\r\\n // based on the signal value. This can only be done in a group.\\r\\n {\\r\\n name: dataForShowAll\\r\\n values: [{}]\\r\\n transform: [{type: \\\"filter\\\", expr: \\\"groupSelector\\\"}]\\r\\n }\\r\\n ]\\r\\n // Set button size and positioning\\r\\n encode: {\\r\\n enter: {\\r\\n xc: {signal: \\\"width/2\\\"}\\r\\n y: {value: 30}\\r\\n width: {value: 80}\\r\\n height: {value: 30}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n // This group is shown as a button with rounded corners.\\r\\n type: group\\r\\n // mark name allows signal capturing\\r\\n name: groupReset\\r\\n // Only shows button if dataForShowAll has values.\\r\\n from: {data: \\\"dataForShowAll\\\"}\\r\\n encode: {\\r\\n enter: {\\r\\n cornerRadius: {value: 6}\\r\\n fill: {value: \\\"#f5f5f5\\\"}\\r\\n stroke: {value: \\\"#c1c1c1\\\"}\\r\\n strokeWidth: {value: 2}\\r\\n // use parent group's size\\r\\n height: {\\r\\n field: {group: \\\"height\\\"}\\r\\n }\\r\\n width: {\\r\\n field: {group: \\\"width\\\"}\\r\\n }\\r\\n }\\r\\n update: {\\r\\n // groups are transparent by default\\r\\n opacity: {value: 1}\\r\\n }\\r\\n hover: {\\r\\n opacity: {value: 0.7}\\r\\n }\\r\\n }\\r\\n marks: [\\r\\n {\\r\\n type: text\\r\\n // if true, it will prevent clicking on the button when over text.\\r\\n interactive: false\\r\\n encode: {\\r\\n enter: {\\r\\n // center text in the paren group\\r\\n xc: {\\r\\n field: {group: \\\"width\\\"}\\r\\n mult: 0.5\\r\\n }\\r\\n yc: {\\r\\n field: {group: \\\"height\\\"}\\r\\n mult: 0.5\\r\\n offset: 2\\r\\n }\\r\\n align: {value: \\\"center\\\"}\\r\\n baseline: {value: \\\"middle\\\"}\\r\\n fontWeight: {value: \\\"bold\\\"}\\r\\n text: {value: \\\"Show All\\\"}\\r\\n }\\r\\n }\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n signals: [\\r\\n {\\r\\n // used to highlight traffic to/from the same country\\r\\n name: groupHover\\r\\n value: {}\\r\\n on: [\\r\\n {\\r\\n events: @groupMark:mouseover\\r\\n update: \\\"{stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {events: \\\"mouseout\\\", update: \\\"{}\\\"}\\r\\n ]\\r\\n }\\r\\n // used to filter only the data related to the selected country\\r\\n {\\r\\n name: groupSelector\\r\\n value: false\\r\\n on: [\\r\\n {\\r\\n // Clicking groupMark sets this signal to the filter values\\r\\n events: @groupMark:click!\\r\\n update: \\\"{stack:datum.stack, stk1:datum.stack=='stk1' \\u0026\\u0026 datum.grpId, stk2:datum.stack=='stk2' \\u0026\\u0026 datum.grpId}\\\"\\r\\n }\\r\\n {\\r\\n // Clicking \\\"show all\\\" button, or double-clicking anywhere resets it\\r\\n events: [\\r\\n {type: \\\"click\\\", markname: \\\"groupReset\\\"}\\r\\n {type: \\\"dblclick\\\"}\\r\\n ]\\r\\n update: \\\"false\\\"\\r\\n }\\r\\n ]\\r\\n }\\r\\n ]\\r\\n}\"},\"title\":\"[GCP] Sankey Source to Destination project\",\"type\":\"vega\",\"uiState\":{}}},\"gridData\":{\"h\":15,\"i\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"w\":24,\"x\":24,\"y\":16},\"panelIndex\":\"6d32c209-a24d-4bf4-8651-83a187ed7946\",\"title\":\"Sankey Source to Destination project\",\"type\":\"visualization\",\"version\":\"7.17.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":true,\"savedVis\":{\"data\":{\"aggs\":[],\"searchSource\":{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}},\"description\":\"\",\"params\":{\"axis_formatter\":\"number\",\"axis_position\":\"left\",\"axis_scale\":\"normal\",\"drop_last_bucket\":1,\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"index_pattern\":\"\",\"interval\":\"\",\"isModelInvalid\":false,\"markdown\":\"[Detection Engine](security/detections)\\r\\n\\r\\n[Network overview](security/network/flows)\",\"markdown_css\":\"#markdown-61ca57f0-469d-11e7-af02-69e470af7417 a{background-color:#07C;color:#fff;padding:8px 12px;height:40px;display:inline-block;font-family:Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-weight:400;letter-spacing:-0.005em;font-size:1rem;line-height:1.5;text-decoration:none;border-radius:4px;vertical-align:middle;width:100%;text-align:center}\",\"markdown_less\":\"a {\\n background-color: #07C;\\n color: #fff;\\n padding: 8px 12px;\\n height: 40px;\\n display: inline-block;\\n font-family: Inter UI,-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;\\n font-weight: 400;\\n letter-spacing: -.005em;\\n font-size: 1rem;\\n line-height: 1.5;\\n text-decoration: none;\\n border-radius: 4px;\\n vertical-align: middle;\\n width: 100%;\\n text-align: center;\\n}\",\"markdown_openLinksInNewTab\":1,\"markdown_vertical_align\":\"middle\",\"max_lines_legend\":1,\"series\":[{\"axis_position\":\"right\",\"chart_type\":\"line\",\"color\":\"#68BC00\",\"fill\":0.5,\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"line_width\":1,\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"count\"}],\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"point_size\":1,\"separate_axis\":0,\"split_mode\":\"everything\",\"stacked\":\"none\",\"time_range_mode\":\"entire_time_range\"}],\"show_grid\":1,\"show_legend\":1,\"time_field\":\"\",\"time_range_mode\":\"entire_time_range\",\"tooltip_mode\":\"show_all\",\"truncate_legend\":1,\"type\":\"markdown\",\"use_kibana_indexes\":true},\"title\":\"Nav Buttons\",\"type\":\"metrics\",\"uiState\":{}}},\"gridData\":{\"h\":5,\"i\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"w\":8,\"x\":40,\"y\":0},\"panelIndex\":\"f3e1d305-2615-45a8-a2a9-ced28af362d1\",\"type\":\"visualization\",\"version\":\"7.17.0\"}]",
+ "timeRestore": false,
+ "title": "[Logs GCP] VPC Flow",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "gcp-9484a4cd-685f-450e-aeaa-728fbdbea20f",
+ "migrationVersion": {
+ "dashboard": "7.17.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fd65090b-d291-4771-865d-c5fa77a1b2a2:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4489b109-a7f8-4a9d-b85f-0fe613368eda:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "061ff6b2-a70a-42dc-87fd-45d185b277ac:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "42eee1cd-e816-4f6e-a700-401e8ff1a2f5:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9714edf3-3894-4567-b8ec-99b863f4fa74:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "efe8857e-d137-4c24-ad83-dd7ddbea8c9e:indexpattern-datasource-layer-9622b1fb-f543-4d05-b868-366fa865f9e7",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "289e8233-5d54-49c7-9b3a-30bab73711bb:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "9d413864-ae26-4e79-a93d-df49fbad4913:indexpattern-datasource-layer-102a3f02-3222-48bb-8c57-b29990ae1d97",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-current-indexpattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "fcaf1c3c-64a6-47ce-90a2-8226e788c062:indexpattern-datasource-layer-8929ffe2-4cf7-40b7-8e2c-1ee52bdd8d97",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "eedf536b-4b23-4689-957b-482f4d7a3332:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "69f30a2e-79ff-4615-a83f-0aaf9b466ba7:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "0f9ac1ed-f75b-4788-a9fe-9277d5e0551a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "4a23ce96-6f3b-4ae0-bec2-dc1594cedef6:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "8700819e-d34e-4ac8-8b65-e053db64f7b8:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "6d32c209-a24d-4bf4-8651-83a187ed7946:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "name": "tag-gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "type": "tag"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json b/packages/gcp/1.9.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json
new file mode 100755
index 0000000000..3e96491081
--- /dev/null
+++ b/packages/gcp/1.9.2/kibana/search/gcp-d88364c0-73a1-11ea-a345-f985c61fe654.json
@@ -0,0 +1,39 @@
+{
+ "attributes": {
+ "columns": [
+ "user.email",
+ "service.name",
+ "gcp.audit.type",
+ "event.action",
+ "event.outcome",
+ "source.ip",
+ "source.geo.region_name"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"gcp.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"gcp.audit\"}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+ },
+ "sort": [],
+ "title": "Audit [Logs GCP]",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "gcp-d88364c0-73a1-11ea-a345-f985c61fe654",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json b/packages/gcp/1.9.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json
new file mode 100755
index 0000000000..5f9cb58c69
--- /dev/null
+++ b/packages/gcp/1.9.2/kibana/tag/gcp-e1a359e5-543d-44c2-ab81-628138719e28.json
@@ -0,0 +1,11 @@
+{
+ "attributes": {
+ "color": "#6092C0",
+ "description": "All assets to monitor GCP",
+ "name": "GCP"
+ },
+ "coreMigrationVersion": "7.17.0",
+ "id": "gcp-e1a359e5-543d-44c2-ab81-628138719e28",
+ "references": [],
+ "type": "tag"
+}
\ No newline at end of file
diff --git a/packages/gcp/1.9.2/manifest.yml b/packages/gcp/1.9.2/manifest.yml
new file mode 100755
index 0000000000..401442b232
--- /dev/null
+++ b/packages/gcp/1.9.2/manifest.yml
@@ -0,0 +1,64 @@
+name: gcp
+title: Google Cloud Platform
+version: "1.9.2"
+release: ga
+description: Collect logs from Google Cloud Platform with Elastic Agent.
+type: integration
+icons:
+ - src: /img/logo_gcp.svg
+ title: logo gcp
+ size: 32x32
+ type: image/svg+xml
+format_version: 1.0.0
+license: basic
+categories:
+ - google_cloud
+ - cloud
+ - network
+ - security
+conditions:
+ kibana.version: ^7.17.0 || ^8.0.0
+screenshots:
+ - src: /img/filebeat-gcp-audit.png
+ title: filebeat gcp audit
+ size: 1702x996
+ type: image/png
+policy_templates:
+ - name: gcp
+ title: Google Cloud Platform (GCP) logs
+ description: Collect logs from Google Cloud Platform (GCP) instances
+ inputs:
+ - type: gcp-pubsub
+ vars:
+ - name: alternative_host
+ type: text
+ title: Alternative host
+ multi: false
+ required: false
+ show_user: false
+ - name: project_id
+ type: text
+ title: Project Id
+ description: Your Google Cloud project ID where the resources exist.
+ multi: false
+ required: true
+ show_user: true
+ default: SET_PROJECT_NAME
+ - name: credentials_file
+ type: text
+ title: Credentials File
+ description: The path to the JSON file with the private key. Make sure that the Elastic Agent has at least read-only privileges to this file.
+ multi: false
+ required: false
+ show_user: true
+ - name: credentials_json
+ type: text
+ title: Credentials JSON
+ description: The content of the JSON file you downloaded from Google Cloud Platform.
+ multi: false
+ required: false
+ show_user: true
+ title: "Collect Google Cloud Platform (GCP) audit, firewall and vpcflow logs (input: gcp-pubsub)"
+ description: "Collecting audit, firewall and vpcflow logs from Google Cloud Platform (GCP) instances (input: gcp-pubsub)"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/github/1.0.2/changelog.yml b/packages/github/1.0.2/changelog.yml
new file mode 100755
index 0000000000..e76d9707a0
--- /dev/null
+++ b/packages/github/1.0.2/changelog.yml
@@ -0,0 +1,71 @@
+# newer versions go on top
+- version: "1.0.2"
+ changes:
+ - description: Add correct field mapping for event.created
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3579
+- version: "1.0.1"
+ changes:
+ - description: Update readme
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3105
+- version: "1.0.0"
+ changes:
+ - description: Make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3428
+- version: "0.4.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2779
+- version: "0.3.4"
+ changes:
+ - description: Fix typo in config template for ignoring host enrichment
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3092
+- version: "0.3.3"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "0.3.2"
+ changes:
+ - description: Fix date format used in queries.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2732
+- version: "0.3.1"
+ changes:
+ - description: Resolve invalid query operator
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2664
+- version: "0.3.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2407
+- version: "0.2.2"
+ changes:
+ - description: Removes saved search used for testing
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2554
+- version: "0.2.1"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2259
+- version: "0.1.1"
+ changes:
+ - description: Update Title and Description.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1997
+- version: "0.1.0"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/1760
diff --git a/packages/github/1.0.2/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/github/1.0.2/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..9dbed92e60
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,69 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{api_url}}/orgs/{{organization}}/audit-log
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+
+{{!-- https://github.community/t/new-feature-audit-log-rest-api-check-it-out/161512 --}}
+request.transforms:
+ - set:
+ target: header.Authorization
+ value: "Bearer {{access_token}}"
+ - set:
+ target: header.Accept
+ value: "application/vnd.github.v3+json"
+ - set:
+ target: url.params.phrase
+ value: '[[sprintf "created:>=%s" (formatDate .cursor.last_timestamp "2006-01-02T15:04:05-07:00")]]'
+ default: '[[sprintf "created:>=%s" (formatDate (now (parseDuration "-{{initial_interval}}")) "2006-01-02T15:04:05-07:00")]]'
+ - set:
+ target: url.params.per_page
+ value: 100
+ - set:
+ target: url.params.include
+ value: all
+ - set:
+ target: url.params.order
+ value: asc
+
+request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]'
+request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]'
+request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]'
+
+response.pagination:
+ - set:
+ target: url.value
+ value: '[[ getRFC5988Link "next" .last_response.header.Link ]]'
+ fail_on_template_error: true
+
+cursor:
+ last_timestamp:
+ value: '[[ .last_event.created_at ]]'
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/github/1.0.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/github/1.0.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..c75e40eef0
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,155 @@
+---
+description: Pipeline for parsing GitHub audit logs
+processors:
+- set:
+ field: event.kind
+ value: event
+- set:
+ field: ecs.version
+ value: "8.2.0"
+- append:
+ field: event.type
+ value: access
+- append:
+ field: event.category
+ value: web
+- append:
+ field: event.category
+ value: iam
+- rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+- json:
+ field: event.original
+ target_field: json
+- fingerprint:
+ fields:
+ - json._document_id
+ target_field: "_id"
+ ignore_missing: true
+- date:
+ field: json.created_at
+ formats:
+ - UNIX_MS
+ timezone: UTC
+ target_field: "@timestamp"
+- rename:
+ field: json._document_id
+ target_field: event.id
+ ignore_missing: true
+- rename:
+ field: json.action
+ target_field: event.action
+ ignore_missing: true
+- rename:
+ field: json.actor
+ target_field: user.name
+ ignore_missing: true
+- append:
+ field: related.user
+ value: "{{user.name}}"
+ if: ctx.user?.name != null
+- rename:
+ field: json.org
+ target_field: github.org
+ ignore_missing: true
+- rename:
+ field: json.user
+ target_field: user.target.name
+ ignore_missing: true
+- append:
+ field: related.user
+ value: "{{user.target.name}}"
+ if: ctx.user?.target?.name != null
+- rename:
+ field: json.repo
+ target_field: github.repo
+ ignore_missing: true
+- rename:
+ field: json.team
+ target_field: github.team
+ ignore_missing: true
+- rename:
+ field: json.data.team
+ target_field: github.team
+ ignore_missing: true
+ if: ctx.github?.team == null
+- set:
+ field: group.name
+ copy_from: github.team
+ ignore_empty_value: true
+ if: ctx.event?.action.startsWith("team.")
+- set:
+ field: user.target.group.name
+ copy_from: github.team
+ ignore_empty_value: true
+ if: ctx.event?.action.startsWith("team.") && ctx.user?.target?.name != null
+- set:
+ field: group.name
+ copy_from: github.org
+ ignore_empty_value: true
+ if: ctx.event?.action.startsWith("org.")
+- set:
+ field: user.target.group.name
+ copy_from: github.org
+ ignore_empty_value: true
+ if: ctx.event?.action.startsWith("org.") && ctx.user?.target?.name != null
+- rename:
+ field: json.data.old_user
+ target_field: user.target.group.name
+ ignore_missing: true
+- rename:
+ field: json.data.old_user
+ target_field: user.target.group.name
+ ignore_missing: true
+ if: ctx.user?.target?.group?.name == null
+- rename:
+ field: json.actor_location.country_code
+ target_field: client.geo.country_iso_code
+ ignore_missing: true
+- grok:
+ field: event.action
+ ignore_missing: true
+ patterns:
+ - '^%{GH_CAT:github.category}\.%{GREEDYDATA}'
+ pattern_definitions:
+ GH_CAT: '[a-z_]+'
+- remove:
+ field:
+ - json
+ ignore_missing: true
+- remove:
+ field: event.original
+ if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+- script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+ }
+ handleMap(ctx);
+on_failure:
+- set:
+ field: error.message
+ value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/github/1.0.2/data_stream/audit/fields/agent.yml b/packages/github/1.0.2/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/github/1.0.2/data_stream/audit/fields/base-fields.yml b/packages/github/1.0.2/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..f087bfee14
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: github
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: github.audit
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
diff --git a/packages/github/1.0.2/data_stream/audit/fields/ecs.yml b/packages/github/1.0.2/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..83c479b473
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,95 @@
+- description: Country ISO code.
+ name: client.geo.country_iso_code
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Error message.
+ name: error.message
+ type: match_only_text
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
+- description: Name of the group.
+ name: group.name
+ type: keyword
+- description: Name of the group.
+ name: user.target.group.name
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.target.name
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/github/1.0.2/data_stream/audit/fields/fields.yml b/packages/github/1.0.2/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..59930fc9dc
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/fields/fields.yml
@@ -0,0 +1,17 @@
+- name: github.org
+ type: keyword
+ description: >
+ GitHub organization name
+
+- name: github.team
+ type: keyword
+ description: >-
+ GitHub team name
+- name: github.repo
+ type: keyword
+ description: >-
+ GitHub repository name
+- name: github.category
+ type: keyword
+ description: >-
+ GitHub action category
diff --git a/packages/github/1.0.2/data_stream/audit/manifest.yml b/packages/github/1.0.2/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..fd72fb7ea5
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/manifest.yml
@@ -0,0 +1,91 @@
+type: logs
+title: GitHub Audit Logs
+release: experimental
+streams:
+ - input: httpjson
+ vars:
+ - name: access_token
+ type: text
+ title: Personal Access Token
+ description: the GitHub Personal Access Token. Requires the 'admin:org' scope
+ multi: false
+ required: true
+ show_user: true
+ - name: organization
+ type: text
+ title: Organization Name
+ description: The GitHub organization name/ID
+ multi: false
+ required: true
+ show_user: true
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: true
+ default: 60s
+ - name: interval
+ type: text
+ title: Interval
+ multi: false
+ required: true
+ show_user: true
+ description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+ default: 1h
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ multi: false
+ required: true
+ show_user: true
+ default: 730h # 30 days
+ description: Initial interval to poll for events. Default is 730 hours (30 days).
+ - name: api_url
+ type: text
+ title: API URL.
+ description: The API URL without the path.
+ multi: false
+ required: true
+ show_user: false
+ default: https://api.github.com
+ - name: ssl
+ type: yaml
+ title: SSL
+ multi: false
+ required: false
+ show_user: false
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ multi: false
+ required: false
+ show_user: false
+ description: URL to proxy connections in the form of http[s]://:@:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: true
+ default:
+ - forwarded
+ - github-audit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+ template_path: httpjson.yml.hbs
+ title: GitHub audit logs
+ description: Collect GitHub audit logs via the API
diff --git a/packages/github/1.0.2/data_stream/audit/sample_event.json b/packages/github/1.0.2/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..04e6483361
--- /dev/null
+++ b/packages/github/1.0.2/data_stream/audit/sample_event.json
@@ -0,0 +1,64 @@
+{
+ "@timestamp": "2020-11-18T17:05:48.837Z",
+ "agent": {
+ "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04",
+ "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "data_stream": {
+ "dataset": "github.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "repo.destroy",
+ "agent_id_status": "verified",
+ "category": [
+ "web",
+ "iam"
+ ],
+ "created": "2022-02-03T12:34:05.664Z",
+ "dataset": "github.audit",
+ "id": "LwW2vpJZCDS-WUmo9Z-ifw",
+ "ingested": "2022-02-03T12:34:06Z",
+ "kind": "event",
+ "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}",
+ "type": [
+ "access"
+ ]
+ },
+ "github": {
+ "category": "repo",
+ "org": "mona-org",
+ "repo": "mona-org/mona-test-repo"
+ },
+ "host": {
+ "name": "docker-fleet-agent"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "user": [
+ "monalisa"
+ ]
+ },
+ "tags": [
+ "forwarded",
+ "github-audit",
+ "preserve_original_event"
+ ],
+ "user": {
+ "name": "monalisa"
+ }
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/docs/README.md b/packages/github/1.0.2/docs/README.md
new file mode 100755
index 0000000000..4e1f0bb932
--- /dev/null
+++ b/packages/github/1.0.2/docs/README.md
@@ -0,0 +1,137 @@
+# GitHub Integration
+
+The GitHub integration collects audit events from the [GitHub API](https://docs.github.com/en/rest ).
+
+## Logs
+
+### Audit
+
+The GitHub audit log records all events related to the GitHub organization. See [Audit log actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) for more details.
+
+To use this integration, you must be an organization owner, and you must use an Personal Access Token with the admin:org scope.
+
+*This integration is not compatible with GitHub Enterprise server.*
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| github.category | GitHub action category | keyword |
+| github.org | GitHub organization name | keyword |
+| github.repo | GitHub repository name | keyword |
+| github.team | GitHub team name | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2020-11-18T17:05:48.837Z",
+ "agent": {
+ "ephemeral_id": "95d78df4-1364-43b9-ab4f-62fc70d21b04",
+ "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "data_stream": {
+ "dataset": "github.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "584f3aea-648c-4e58-aba4-32b8f88d4396",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "repo.destroy",
+ "agent_id_status": "verified",
+ "category": [
+ "web",
+ "iam"
+ ],
+ "created": "2022-02-03T12:34:05.664Z",
+ "dataset": "github.audit",
+ "id": "LwW2vpJZCDS-WUmo9Z-ifw",
+ "ingested": "2022-02-03T12:34:06Z",
+ "kind": "event",
+ "original": "{\"@timestamp\":1605719148837,\"_document_id\":\"LwW2vpJZCDS-WUmo9Z-ifw\",\"action\":\"repo.destroy\",\"actor\":\"monalisa\",\"created_at\":1605719148837,\"org\":\"mona-org\",\"repo\":\"mona-org/mona-test-repo\",\"visibility\":\"private\"}",
+ "type": [
+ "access"
+ ]
+ },
+ "github": {
+ "category": "repo",
+ "org": "mona-org",
+ "repo": "mona-org/mona-test-repo"
+ },
+ "host": {
+ "name": "docker-fleet-agent"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "user": [
+ "monalisa"
+ ]
+ },
+ "tags": [
+ "forwarded",
+ "github-audit",
+ "preserve_original_event"
+ ],
+ "user": {
+ "name": "monalisa"
+ }
+}
+```
\ No newline at end of file
diff --git a/packages/github/1.0.2/img/github-audit-dashboard.png b/packages/github/1.0.2/img/github-audit-dashboard.png
new file mode 100755
index 0000000000..e6738cf99f
Binary files /dev/null and b/packages/github/1.0.2/img/github-audit-dashboard.png differ
diff --git a/packages/github/1.0.2/img/github-user-dashboard.png b/packages/github/1.0.2/img/github-user-dashboard.png
new file mode 100755
index 0000000000..d31984b7fa
Binary files /dev/null and b/packages/github/1.0.2/img/github-user-dashboard.png differ
diff --git a/packages/github/1.0.2/img/github.svg b/packages/github/1.0.2/img/github.svg
new file mode 100755
index 0000000000..a8d1174049
--- /dev/null
+++ b/packages/github/1.0.2/img/github.svg
@@ -0,0 +1,3 @@
+
diff --git a/packages/github/1.0.2/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..50358b3d23
--- /dev/null
+++ b/packages/github/1.0.2/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,42 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"af01806a-78b1-4068-8d69-fa2ca952f365\",\"panelRefName\":\"panel_af01806a-78b1-4068-8d69-fa2ca952f365\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":15,\"i\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"7d42442c-83c9-420d-8ef4-883eeb150687\",\"panelRefName\":\"panel_7d42442c-83c9-420d-8ef4-883eeb150687\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"panelRefName\":\"panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044\",\"type\":\"visualization\",\"version\":\"7.16.0\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"w\":48,\"x\":0,\"y\":22},\"panelIndex\":\"1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"panelRefName\":\"panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464\",\"type\":\"search\",\"version\":\"7.16.0\"}]",
+ "timeRestore": false,
+ "title": "[GitHub] User Change Audit",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-8bfd8310-205c-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "dashboard": "7.16.0"
+ },
+ "references": [
+ {
+ "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0",
+ "name": "af01806a-78b1-4068-8d69-fa2ca952f365:panel_af01806a-78b1-4068-8d69-fa2ca952f365",
+ "type": "visualization"
+ },
+ {
+ "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0",
+ "name": "7d42442c-83c9-420d-8ef4-883eeb150687:panel_7d42442c-83c9-420d-8ef4-883eeb150687",
+ "type": "visualization"
+ },
+ {
+ "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0",
+ "name": "76db3a0d-7562-4436-acd5-3cbfd4f6d044:panel_76db3a0d-7562-4436-acd5-3cbfd4f6d044",
+ "type": "visualization"
+ },
+ {
+ "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+ "name": "1e435c96-c37f-4eb5-a4e5-2d446b2bf464:panel_1e435c96-c37f-4eb5-a4e5-2d446b2bf464",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..506153bc21
--- /dev/null
+++ b/packages/github/1.0.2/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,62 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"w\":41,\"x\":0,\"y\":0},\"panelIndex\":\"63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"panelRefName\":\"panel_63210180-c999-4d93-8d7a-f2fcb810ad1b\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":7,\"i\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"w\":7,\"x\":41,\"y\":0},\"panelIndex\":\"b37e0c71-2cc3-4895-b839-383ce53561a8\",\"panelRefName\":\"panel_b37e0c71-2cc3-4895-b839-383ce53561a8\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"w\":48,\"x\":0,\"y\":7},\"panelIndex\":\"fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"panelRefName\":\"panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapBuffer\":{\"maxLat\":85.05113,\"maxLon\":360,\"minLat\":-85.05113,\"minLon\":-540},\"mapCenter\":{\"lat\":27.08856,\"lon\":-30.5613,\"zoom\":1},\"openTOCDetails\":[]},\"gridData\":{\"h\":18,\"i\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"w\":37,\"x\":0,\"y\":26},\"panelIndex\":\"88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"panelRefName\":\"panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d\",\"type\":\"map\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":18,\"i\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"w\":11,\"x\":37,\"y\":26},\"panelIndex\":\"0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"panelRefName\":\"panel_0c469087-fb3f-46d3-8962-c49d2e50f70c\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"w\":25,\"x\":0,\"y\":44},\"panelIndex\":\"108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"panelRefName\":\"panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":19,\"i\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"w\":23,\"x\":25,\"y\":44},\"panelIndex\":\"9ed1cfce-9337-4813-8df5-14a1280bb351\",\"panelRefName\":\"panel_9ed1cfce-9337-4813-8df5-14a1280bb351\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":17,\"i\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"w\":48,\"x\":0,\"y\":63},\"panelIndex\":\"d48a66a5-50e7-4cab-9b16-767bfa427860\",\"panelRefName\":\"panel_d48a66a5-50e7-4cab-9b16-767bfa427860\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[GitHub] Audit Log Activity",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-dcee84c0-2059-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "dashboard": "7.16.0"
+ },
+ "references": [
+ {
+ "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0",
+ "name": "63210180-c999-4d93-8d7a-f2fcb810ad1b:panel_63210180-c999-4d93-8d7a-f2fcb810ad1b",
+ "type": "visualization"
+ },
+ {
+ "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0",
+ "name": "b37e0c71-2cc3-4895-b839-383ce53561a8:panel_b37e0c71-2cc3-4895-b839-383ce53561a8",
+ "type": "visualization"
+ },
+ {
+ "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0",
+ "name": "fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9:panel_fb1ebb7a-c8bf-419d-be8f-ff5d2a741cc9",
+ "type": "visualization"
+ },
+ {
+ "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0",
+ "name": "88887e58-b192-4c9b-85c7-14d18a6c1c0d:panel_88887e58-b192-4c9b-85c7-14d18a6c1c0d",
+ "type": "map"
+ },
+ {
+ "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0",
+ "name": "0c469087-fb3f-46d3-8962-c49d2e50f70c:panel_0c469087-fb3f-46d3-8962-c49d2e50f70c",
+ "type": "visualization"
+ },
+ {
+ "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0",
+ "name": "108cd1b7-ce79-4558-ae38-5f1bb93961fe:panel_108cd1b7-ce79-4558-ae38-5f1bb93961fe",
+ "type": "visualization"
+ },
+ {
+ "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0",
+ "name": "9ed1cfce-9337-4813-8df5-14a1280bb351:panel_9ed1cfce-9337-4813-8df5-14a1280bb351",
+ "type": "visualization"
+ },
+ {
+ "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0",
+ "name": "d48a66a5-50e7-4cab-9b16-767bfa427860:panel_d48a66a5-50e7-4cab-9b16-767bfa427860",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..28e6fd92ec
--- /dev/null
+++ b/packages/github/1.0.2/kibana/map/github-871e5750-205e-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,22 @@
+{
+ "attributes": {
+ "description": "",
+ "layerListJSON": "[{\"alpha\":0.75,\"id\":\"a427cb7d-077b-4c8a-8741-74f8f03283e2\",\"includeInFitToBounds\":true,\"joins\":[],\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#6092C0\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#4379aa\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true},{\"alpha\":0.75,\"id\":\"a0ea096b-e0eb-43dd-8f75-c0d8c0e4ac9a\",\"includeInFitToBounds\":true,\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"id\":\"167d9148-ad58-4fa1-99eb-c3e75fc75f96\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"indexPatternTitle\":\"logs-*\",\"term\":\"client.geo.country_iso_code\",\"type\":\"ES_TERM_SOURCE\"}}],\"label\":\"Events by Country\",\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"],\"type\":\"EMS_FILE\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"#54B399\"},\"type\":\"STATIC\"},\"icon\":{\"options\":{\"value\":\"marker\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"size\":6},\"type\":\"STATIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"value\":\"\"},\"type\":\"STATIC\"},\"lineColor\":{\"options\":{\"color\":\"#41937c\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":1},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+ "mapStateJSON": "{\"center\":{\"lat\":0,\"lon\":-29.82486},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"logs-*\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"refreshConfig\":{\"interval\":0,\"isPaused\":true},\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"browserLocation\":{\"zoom\":2},\"disableInteractive\":false,\"disableTooltipControl\":false,\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"hideLayerControl\":false,\"hideToolbarOverlay\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"showTimesliderToggleButton\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"},\"timeFilters\":{\"from\":\"now-18M\",\"to\":\"now\"},\"zoom\":0.56}",
+ "title": "Activity Map by Actor Location [GitHub]",
+ "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-871e5750-205e-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "map": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "layer_1_join_0_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "map"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..3becd882e0
--- /dev/null
+++ b/packages/github/1.0.2/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,46 @@
+{
+ "attributes": {
+ "columns": [
+ "user.name",
+ "user.target.name",
+ "github.org",
+ "event.action"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"exists\":{\"field\":\"user.target.name\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"user.target.name\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "GitHub Audit Users",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..6fcc2915aa
--- /dev/null
+++ b/packages/github/1.0.2/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,36 @@
+{
+ "attributes": {
+ "columns": [],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "GitHub Audit",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..e74ffec7ff
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-61f60d00-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 5 Event Types [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"\",\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Event Types [GitHub]\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-61f60d00-20b4-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..bee75a85b9
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 5 Active Users [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 5 Active Users [GitHub]\",\"type\":\"horizontal_bar\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-78ec0aa0-20b4-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..ffb543647f
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-7b073f90-205e-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,50 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"github.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"github.audit\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "title": "Controls Audit [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"github.org\",\"id\":\"1632831213212\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Organization\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"github.repo\",\"id\":\"1632831234336\",\"indexPatternRefName\":\"control_1_index_pattern\",\"label\":\"Repository\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.name\",\"id\":\"1632872599896\",\"indexPatternRefName\":\"control_2_index_pattern\",\"label\":\"Actor\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"user.target.name\",\"id\":\"1632872564349\",\"indexPatternRefName\":\"control_3_index_pattern\",\"label\":\"Users\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"},{\"fieldName\":\"event.action\",\"id\":\"1632874177516\",\"indexPatternRefName\":\"control_4_index_pattern\",\"label\":\"Action\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":false,\"useTimeFilter\":false},\"title\":\"Controls Audit [GitHub]\",\"type\":\"input_control_vis\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-7b073f90-205e-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "control_0_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "control_1_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "control_2_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "control_3_index_pattern",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "control_4_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..0b63b91066
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Events per Organization [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"github.org\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"Events per Organization [GitHub]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-9638a6e0-20b4-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..2adad09de2
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-97737b60-20b5-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "User Changes [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":0,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"value\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"User Changes [GitHub]\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-97737b60-20b5-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..ab96e88761
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "User Change Timeline [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"User Change Timeline [GitHub]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-b50c62e0-20b5-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-173f1050-20ae-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..862ffe3f0b
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Events over time [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"now-18M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"used_interval\":\"1w\"},\"schema\":\"segment\",\"type\":\"date_histogram\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.action\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":1000},\"schema\":\"group\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events over time [GitHub]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-ba0ece10-20b3-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..e833f96f8f
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-c803b110-20b4-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top 10 Active Repositories [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Repository\",\"field\":\"github.repo\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"rotate\":0,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"default\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top 10 Active Repositories [GitHub]\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-c803b110-20b4-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json b/packages/github/1.0.2/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json
new file mode 100755
index 0000000000..1b32797c76
--- /dev/null
+++ b/packages/github/1.0.2/kibana/visualization/github-d7343340-20b3-11ec-8b10-11a4c5e322a0.json
@@ -0,0 +1,26 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Total Events [GitHub]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\" \"},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Total Events [GitHub]\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "github-d7343340-20b3-11ec-8b10-11a4c5e322a0",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/github/1.0.2/manifest.yml b/packages/github/1.0.2/manifest.yml
new file mode 100755
index 0000000000..027b7e2a3b
--- /dev/null
+++ b/packages/github/1.0.2/manifest.yml
@@ -0,0 +1,35 @@
+name: github
+title: GitHub
+version: 1.0.2
+release: ga
+description: Collect events from GitHub with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+ - src: /img/github.svg
+ title: GitHub
+ size: 1024x1024
+ type: image/svg+xml
+screenshots:
+ - src: /img/github-audit-dashboard.png
+ title: GitHub audit overview
+ size: 3000x1788
+ type: image/png
+ - src: /img/github-user-dashboard.png
+ title: GitHub user overview
+ size: 2998x1631
+ type: image/png
+policy_templates:
+ - name: github
+ title: GitHub logs
+ description: Collect logs from GitHub
+ inputs:
+ - type: httpjson
+ title: "Collect GitHub logs via API"
+ description: "Collecting logs from GitHub via API"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/httpjson/1.2.4/changelog.yml b/packages/httpjson/1.2.4/changelog.yml
new file mode 100755
index 0000000000..de3cbba77b
--- /dev/null
+++ b/packages/httpjson/1.2.4/changelog.yml
@@ -0,0 +1,40 @@
+- version: "1.2.4"
+ changes:
+ - description: Add correct field mapping for event.created
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3579
+- version: "1.2.3"
+ changes:
+ - description: Fixes oauth2 config rendering
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3518
+- version: "1.2.2"
+ changes:
+ - description: Fixes rendering issue for custom oauth2 scopes
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3295
+- version: "1.2.1"
+ changes:
+ - description: Adds missing `delegated_account` option for Google Oauth2
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3256
+- version: "1.2.0"
+ changes:
+ - description: Update ECS to 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2779
+- version: "1.1.1"
+ changes:
+ - description: Fixes typo in config template
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2883
+- version: "1.1.0"
+ changes:
+ - description: Fixes issues with certain configuration fields not working
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2815
+- version: "1.0.0"
+ changes:
+ - description: Initial Implementation
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2154
diff --git a/packages/httpjson/1.2.4/data_stream/generic/agent/stream/httpjson.yml.hbs b/packages/httpjson/1.2.4/data_stream/generic/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..9d45186622
--- /dev/null
+++ b/packages/httpjson/1.2.4/data_stream/generic/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,151 @@
+config_version: 2
+data_stream:
+ dataset: {{data_stream.dataset}}
+interval: {{request_interval}}
+
+{{#if username}}
+auth.basic.user: {{username}}
+{{/if}}
+{{#if password}}
+auth.basic.password: {{password}}
+{{/if}}
+
+{{#if pipeline}}
+pipeline: {{pipeline}}
+{{/if}}
+
+{{#unless username}}
+{{#unless password}}
+{{#if oauth_id}}
+auth.oauth2.client.id: {{oauth_id}}
+{{/if}}
+{{#if oauth_secret}}
+auth.oauth2.client.secret: {{oauth_secret}}
+{{/if}}
+{{#if oauth_token_url}}
+auth.oauth2.token_url: {{oauth_token_url}}
+{{/if}}
+{{#if oauth_provider}}
+auth.oauth2.provider: {{oauth_provider}}
+{{/if}}
+{{#if oauth_scopes}}
+auth.oauth2.scopes:
+{{#each oauth_scopes as |scope i|}}
+ - {{scope}}
+{{/each}}
+{{/if}}
+{{#if oauth_google_credentials_file}}
+auth.oauth2.google.credentials_file: {{oauth_google_credentials_file}}
+{{/if}}
+{{#if oauth_google_credentials_json}}
+auth.oauth2.google.credentials_json: '{{oauth_google_credentials_json}}'
+{{/if}}
+{{#if oauth_google_jwt_file}}
+auth.oauth2.google.jwt_file: {{oauth_google_jwt_file}}
+{{/if}}
+{{#if oauth_google_delegated_account}}
+auth.oauth2.google.delegated_account: {{oauth_google_delegated_account}}
+{{/if}}
+{{#if oauth_azure_tenant_id}}
+auth.oauth2.azure.tenant_id: {{oauth_azure_tenant_id}}
+{{/if}}
+{{#if oauth_azure_resource}}
+auth.oauth2.azure.resource: {{oauth_azure_resource}}
+{{/if}}
+{{#if oauth_endpoint_params}}
+auth.oauth2.endpoint_params:
+ {{oauth_endpoint_params}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+
+request.url: {{request_url}}
+request.method: {{request_method}}
+{{#if request_body}}
+request.body:
+ {{request_body}}
+{{/if}}
+{{#if request_transforms}}
+request.transforms:
+ {{request_transforms}}
+{{/if}}
+{{#if request_ssl}}
+request.ssl:
+ {{request_ssl}}
+{{/if}}
+{{#if request_encode_as}}
+request.encode_as: {{request_encode_as}}
+{{/if}}
+{{#if request_timeout}}
+request.timeout: {{request_timeout}}
+{{/if}}
+{{#if request_proxy_url}}
+request.proxy_url: {{request_proxy_url}}
+{{/if}}
+{{#if request_retry_max_attempts}}
+request.retry.max_attempts: {{request_retry_max_attempts}}
+{{/if}}
+{{#if request_retry_wait_min}}
+request.retry.wait_min: {{request_retry_wait_min}}
+{{/if}}
+{{#if request_retry_wait_max}}
+request.retry.wait_max: {{request_retry_wait_max}}
+{{/if}}
+{{#if request_redirect_forward_headers}}
+request.redirect.forward_headers: {{request_redirect_forward_headers}}
+{{/if}}
+{{#if request_redirect_headers_ban_list}}
+request.redirect.headers_ban_list:
+{{#each request_redirect_headers_ban_list as |item i|}}
+ - {{item}}
+{{/each}}
+{{/if}}
+{{#if request_redirect_max_redirects}}
+request.redirect.max_redirects: {{request_redirect_max_redirects}}
+{{/if}}
+{{#if request_rate_limit_limit}}
+request.rate_limit.limit: {{request_rate_limit_limit}}
+{{/if}}
+{{#if request_rate_limit_reset}}
+request.rate_limit.reset: {{request_rate_limit_reset}}
+{{/if}}
+{{#if request_rate_limit_remaining}}
+request.rate_limit.remaining: {{request_rate_limit_remaining}}
+{{/if}}
+
+{{#if response_transforms}}
+response.transforms:
+ {{response_transforms}}
+{{/if}}
+{{#if response_split}}
+response.split:
+ {{response_split}}
+{{/if}}
+{{#if response_pagination}}
+response.pagination: {{response_pagination}}
+{{/if}}
+{{#if response_decode_as}}
+response.decode_as: {{response_decode_as}}
+{{/if}}
+{{#if response_request_body_on_pagination}}
+response.request_body_on_pagination: {{response_request_body_on_pagination}}
+{{/if}}
+
+{{#if cursor}}
+cursor:
+ {{cursor}}
+{{/if}}
+
+{{#if tags}}
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/httpjson/1.2.4/data_stream/generic/fields/base-fields.yml b/packages/httpjson/1.2.4/data_stream/generic/fields/base-fields.yml
new file mode 100755
index 0000000000..d8277624ff
--- /dev/null
+++ b/packages/httpjson/1.2.4/data_stream/generic/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: httpjson
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: httpjson.generic
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/httpjson/1.2.4/data_stream/generic/fields/beats.yml b/packages/httpjson/1.2.4/data_stream/generic/fields/beats.yml
new file mode 100755
index 0000000000..ede6958855
--- /dev/null
+++ b/packages/httpjson/1.2.4/data_stream/generic/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ description: Type of Filebeat input.
+ type: keyword
+- name: tags
+ type: keyword
+ description: User defined tags
diff --git a/packages/httpjson/1.2.4/data_stream/generic/fields/ecs.yml b/packages/httpjson/1.2.4/data_stream/generic/fields/ecs.yml
new file mode 100755
index 0000000000..12c7fe1cd0
--- /dev/null
+++ b/packages/httpjson/1.2.4/data_stream/generic/fields/ecs.yml
@@ -0,0 +1,18 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
diff --git a/packages/httpjson/1.2.4/data_stream/generic/manifest.yml b/packages/httpjson/1.2.4/data_stream/generic/manifest.yml
new file mode 100755
index 0000000000..c4a6699d38
--- /dev/null
+++ b/packages/httpjson/1.2.4/data_stream/generic/manifest.yml
@@ -0,0 +1,340 @@
+title: Custom HTTPJSON Input
+type: logs
+streams:
+ - input: httpjson
+ description: Collect custom data from REST API's
+ template_path: httpjson.yml.hbs
+ title: Custom HTTPJSON Input
+ vars:
+ - name: data_stream.dataset
+ type: text
+ title: Dataset name
+ description: |
+ Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).
+ default: httpjson.generic
+ required: true
+ show_user: true
+ - name: pipeline
+ type: text
+ title: Ingest Pipeline
+ description: |
+ The Ingest Node pipeline ID to be used by the integration.
+ required: false
+ show_user: true
+ - name: request_url
+ type: text
+ title: Request URL
+ description: i.e. scheme://host:port/path
+ show_user: true
+ required: true
+ default: https://server.example.com:8089/api
+ - name: request_interval
+ type: text
+ title: Request Interval
+ description: How often the API is polled, supports seconds, minutes and hours.
+ show_user: true
+ required: true
+ default: 1m
+ - name: request_method
+ type: text
+ title: Request HTTP Method
+ description: Supports either GET or POST
+ show_user: true
+ required: true
+ default: GET
+ - name: username
+ type: text
+ title: Basic Auth Username
+ show_user: true
+ required: false
+ description: The username to be used with Basic Auth headers
+ - name: password
+ type: password
+ title: Basic Auth Password
+ show_user: true
+ required: false
+ description: The password to be used with Basic Auth headers
+ - name: oauth_id
+ type: text
+ title: Oauth2 Client ID
+ description: Client ID used for Oauth2 authentication
+ show_user: true
+ required: false
+ - name: oauth_secret
+ type: password
+ title: Oauth2 Client Secret
+ description: Client secret used for Oauth2 authentication
+ show_user: true
+ required: false
+ - name: oauth_token_url
+ type: text
+ title: Oauth2 Token URL
+ description: The URL endpoint that will be used to generate the tokens during the oauth2 flow. It is required if no oauth_custom variable is set or provider is not specified in oauth_custom variable.
+ show_user: true
+ required: false
+ - name: request_body
+ type: yaml
+ title: Request Body
+ description: An optional HTTP body if the request method is POST. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_body)
+ show_user: true
+ multi: false
+ required: false
+ default: |
+ #query:
+ # bool:
+ # filter:
+ # term:
+ # type: authentication
+ - name: request_transforms
+ type: yaml
+ title: Request Transforms
+ description: Optional transformations to perform on the request before it is sent. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#request-transforms).
+ show_user: true
+ multi: false
+ required: false
+ default: |
+ #- set:
+ # target: body.from
+ # value: '[[now (parseDuration "-1h")]]'
+ #- set:
+ # target: url.params.limit
+ # value: 10
+ - name: response_transforms
+ type: yaml
+ title: Response Transforms
+ description: Optional transformations to perform on the response before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-transforms).
+ show_user: true
+ multi: false
+ required: false
+ default: |
+ #- delete:
+ # target: body.very_confidential
+ - name: response_split
+ type: yaml
+ title: Response Split
+ description: Optional transformations to perform on the response to split the response into separate documents before it is sent to Elasticsearch. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-split).
+ show_user: true
+ multi: false
+ required: false
+ default: |
+ #target: body.data
+ #keep_parent: true
+ - name: response_pagination
+ type: yaml
+ title: Response Pagination
+ description: Optional settings if pagination is required to retrieve all results. All available options can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-pagination).
+ show_user: true
+ multi: false
+ required: false
+ default: |
+ #- set:
+ # target: url.value
+ # value: http://localhost:9200/_search/scroll
+ #- set:
+ # target: url.params.scroll_id
+ # value: '[[.last_response.body._scroll_id]]'
+ - name: cursor
+ type: yaml
+ title: Custom request cursor
+ description: |
+ A cursor is used to keep state between each API request, and can be set to for example the value of something in the response body.
+ More information can be found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#cursor).
+ show_user: true
+ multi: false
+ required: false
+ default: |
+ #last_requested_at:
+ # value: '[[now]]'
+ - name: request_ssl
+ type: yaml
+ title: Request SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc, more examples found in the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config)
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #verification_mode: none
+ - name: request_encode_as
+ type: text
+ title: Request Encode As
+ description: ContentType used for encoding the request body. If set it will force the encoding in the specified format regardless of the Content-Type header value.
+ show_user: false
+ multi: false
+ required: false
+ - name: request_timeout
+ type: text
+ title: Request Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. Default is "30"s.
+ show_user: false
+ multi: false
+ required: false
+ - name: request_proxy_url
+ type: text
+ title: Request Proxy
+ description: This specifies proxy configuration in the form of `http[s]://:@:`.
+ show_user: false
+ multi: false
+ required: false
+ - name: request_retry_max_attempts
+ type: text
+ title: Request Retry Max Attempts
+ description: The maximum number of retries for the HTTP client. Default is "5".
+ show_user: false
+ multi: false
+ required: false
+ - name: request_retry_wait_min
+ type: text
+ title: Request Retry Wait Min
+ description: The minimum time to wait before a retry is attempted. Default is "1s".
+ show_user: false
+ multi: false
+ required: false
+ - name: request_retry_wait_max
+ type: text
+ title: Request Retry Wait Max
+ description: The maximum time to wait before a retry is attempted. Default is "60s".
+ show_user: false
+ multi: false
+ required: false
+ - name: request_redirect_forward_headers
+ type: bool
+ title: Request Redirect Forward Headers
+ description: When set to true request headers are forwarded in case of a redirect. Default is "false".
+ show_user: false
+ multi: false
+ required: false
+ - name: request_redirect_headers_ban_list
+ type: text
+ title: Request Redirect Headers Ban List
+ description: When Redirect Forward Headers is set to true, all headers except the ones defined in this list will be forwarded. All headers are forwarded by default.
+ show_user: false
+ multi: true
+ required: false
+ - name: request_redirect_max_redirects
+ type: text
+ title: Request Redirect Max Redirects
+ description: The maximum number of redirects to follow for a request. Default is "10".
+ show_user: false
+ multi: false
+ required: false
+ - name: request_rate_limit_limit
+ type: text
+ title: Request Rate Limit
+ description: The value of the response that specifies the total limit. It is defined with a Go template value.
+ show_user: false
+ multi: false
+ required: false
+ - name: request_rate_limit_reset
+ type: text
+ title: Request Rate Limit Reset
+ description: The value of the response that specifies the epoch time when the rate limit will reset. It is defined with a Go template value.
+ show_user: false
+ multi: false
+ required: false
+ - name: request_rate_limit_remaining
+ type: text
+ title: Request Rate Limit Remaining
+ description: The value of the response that specifies the remaining quota of the rate limit. It is defined with a Go template value.
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_provider
+ type: text
+ title: Oauth2 Provider
+ description: Used to configure supported oauth2 providers. Each supported provider will require specific settings. It is not set by default. Supported providers are "azure" and "google".
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_scopes
+ type: text
+ title: Oauth2 Scopes
+ description: A list of scopes that will be requested during the oauth2 flow. It is optional for all providers.
+ show_user: false
+ multi: true
+ required: false
+ - name: oauth_google_credentials_file
+ type: text
+ title: Oauth2 Google Credentials File
+ description: The full path to the credentials file for Google.
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_google_credentials_json
+ type: text
+ title: Oauth2 Google Credentials JSON
+ description: Your Google credentials information as raw JSON.
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_google_jwt_file
+ type: text
+ title: Oauth2 Google JWT File
+ description: Full path to the JWT Account Key file for Google.
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_google_delegated_account
+ type: text
+ title: Oauth2 Google Delegated account
+ description: Email of the delegated account used to create the credentials (usually an admin).
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_azure_tenant_id
+ type: text
+ title: Oauth2 Azure Tenant ID
+ description: Optional setting used for authentication when using Azure provider. Since it is used in the process to generate the token_url, it can’t be used in combination with it.
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_azure_resource
+ type: text
+ title: Oauth2 Azure Resource
+ description: Optional setting for the accessed WebAPI resource when using azure provider.
+ show_user: false
+ multi: false
+ required: false
+ - name: oauth_endpoint_params
+ type: yaml
+ title: Oauth2 Endpoint Params
+ description: Set of values that will be sent on each request to the token_url. Each param key can have multiple values. Can be set for all providers except google.
+ show_user: false
+ multi: false
+ required: false
+ default: |
+ #Param1:
+ # - ValueA
+ # - ValueB
+ #Param2:
+ # - Value
+ - name: response_decode_as
+ type: text
+ title: Response decode settings
+ description: |
+ ContentType used for decoding the response body. Supported values: application/json, application/x-ndjson. By default it will use what is in the response Content-Type header.
+ show_user: false
+ required: false
+ - name: response_request_body_on_pagination
+ type: bool
+ title: Include request body on Pagination
+ description: |
+ If set to true, the values in request.body are sent with pagination requests.
+ show_user: false
+ multi: false
+ required: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
diff --git a/packages/httpjson/1.2.4/data_stream/generic/sample_event.json b/packages/httpjson/1.2.4/data_stream/generic/sample_event.json
new file mode 100755
index 0000000000..97f5b56929
--- /dev/null
+++ b/packages/httpjson/1.2.4/data_stream/generic/sample_event.json
@@ -0,0 +1,36 @@
+{
+ "@timestamp": "2022-03-10T12:47:55.098Z",
+ "agent": {
+ "ephemeral_id": "03c96875-43cc-4abc-b998-99527ff31de3",
+ "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0"
+ },
+ "data_stream": {
+ "dataset": "httpjson.generic",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "0ddbfef9-4d38-400d-8404-d2df456bddc0",
+ "snapshot": false,
+ "version": "8.0.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-03-10T12:47:55.098Z",
+ "dataset": "httpjson.generic",
+ "ingested": "2022-03-10T12:47:56Z"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "message": "{\"message\":\"success\",\"page\":2}",
+ "tags": [
+ "forwarded"
+ ]
+}
\ No newline at end of file
diff --git a/packages/httpjson/1.2.4/docs/README.md b/packages/httpjson/1.2.4/docs/README.md
new file mode 100755
index 0000000000..f575d64220
--- /dev/null
+++ b/packages/httpjson/1.2.4/docs/README.md
@@ -0,0 +1,20 @@
+# Custom HTTPJSON input integration
+
+The custom HTTPJSON input integration is used to ingest data from custom RESTful API's that do not currently have an existing integration.
+
+The input itself supports sending both GET and POST requests, transform requests and responses during runtime, paginate and keep a running state on information from the last collected events.
+
+## Configuration
+
+The extensive documentation for the input are currently available [here](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html).
+
+The most commonly used configuration options are available on the main integration page, while more advanced and customizable options currently resides under the "Advanced options" part of the integration settings page.
+
+Configuration is split into three main categories, Request, Response, and Cursor.
+
+The request part of the configuration handles points like which URL endpoint to communicate with, the request body, specific transformations that have to happen before a request is sent out and some custom options like request proxy, timeout and similar options.
+
+The response part of the configuration handles options like transformation, rate limiting, pagination, and splitting the response into different documents before it is sent to Elasticsearch.
+
+The cursor part of the configuration is used when there is a need to keep state between each of the API requests, for example if a timestamp is returned in the response, that should be used as a filter in the next request after that, the cursor is a place where this is stored.
+
diff --git a/packages/httpjson/1.2.4/manifest.yml b/packages/httpjson/1.2.4/manifest.yml
new file mode 100755
index 0000000000..adb9ec7de6
--- /dev/null
+++ b/packages/httpjson/1.2.4/manifest.yml
@@ -0,0 +1,22 @@
+format_version: 1.0.0
+name: httpjson
+title: Custom HTTPJSON Input
+description: Collect custom data from REST API's with Elastic Agent.
+type: integration
+version: 1.2.4
+release: ga
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+license: basic
+categories:
+ - custom
+policy_templates:
+ - name: generic
+ title: Custom HTTPJSON Input
+ description: Collect custom data from REST API's
+ inputs:
+ - type: httpjson
+ title: Collect custom data from REST API's
+ description: Collect custom data from REST API's
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/o365/1.6.0/changelog.yml b/packages/o365/1.6.0/changelog.yml
new file mode 100755
index 0000000000..5a313aebbd
--- /dev/null
+++ b/packages/o365/1.6.0/changelog.yml
@@ -0,0 +1,157 @@
+# newer versions go on top
+- version: "1.6.0"
+ changes:
+ - description: Extend list of mapped record types
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3588
+- version: "1.5.1"
+ changes:
+ - description: Fix processing of ModifiedProperties when it is a list of strings
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3204
+- version: "1.5.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2780
+- version: "1.4.3"
+ changes:
+ - description: Replace invalid field value
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3095
+- version: "1.4.2"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.4.1"
+ changes:
+ - description: Fix grok parsing errors due to invalid IP addresses.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2669
+- version: "1.4.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2427
+- version: "1.3.2"
+ changes:
+ - description: Regenerate test files using the new GeoIP database
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2339
+- version: "1.3.1"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2252
+- version: "1.2.4"
+ changes:
+ - description: Uniform with guidelines
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2096
+- version: "1.2.3"
+ changes:
+ - description: Fix processors configuration
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2113
+- version: "1.2.2"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1976
+- version: "1.2.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1837
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1670
+- version: "1.1.4"
+ changes:
+ - description: additional type assertions in painless scripts
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1642
+- version: "1.1.3"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1493
+- version: '1.1.2'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1402
+- version: "1.1.1"
+ changes:
+ - description: Escape special characters in docs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1405
+- version: "1.1.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "1.0.0"
+ changes:
+ - description: make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1219
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1219
+- version: "0.6.2"
+ changes:
+ - description: Use `wildcard` field type for the relevant ECS fields.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1180
+- version: "0.6.1"
+ changes:
+ - description: small pipeline fix for parameters when they are string instead of objects
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1136
+- version: "0.6.0"
+ changes:
+ - description: add system tests
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1119
+ - description: fixes o365audit config file
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1119
+- version: "0.5.0"
+ changes:
+ - description: update to ECS 1.10.0 and adding event.original options
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1117
+- version: "0.4.0"
+ changes:
+ - description: moving edge processing to ingest pipelines
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/983
+- version: "0.3.2"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/860
+- version: "0.3.1"
+ changes:
+ - description: Change kibana.version constraint to be more conservative.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/749
+- version: "0.3.0"
+ changes:
+ - description: Add changes to use ECS 1.8 fields.
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/716
+- version: "0.1.0"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/230
diff --git a/packages/o365/1.6.0/data_stream/audit/agent/stream/o365audit.yml.hbs b/packages/o365/1.6.0/data_stream/audit/agent/stream/o365audit.yml.hbs
new file mode 100755
index 0000000000..8656c87842
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/agent/stream/o365audit.yml.hbs
@@ -0,0 +1,39 @@
+{{#if application_id}}application_id: {{application_id}}{{/if}}
+tenant_id:
+{{#each tenants}}
+ - "{{this}}"
+{{/each}}
+{{#if certificate}}certificate: {{certificate}}{{/if}}
+{{#if key}}key: {{key}}{{/if}}
+{{#if key_passphrase}}key_passphrase: {{key_passphrase}}{{/if}}
+{{#if client_secret}}client_secret: {{client_secret}}{{/if}}
+content_type:
+{{#each content_type}}
+ - "{{this}}"
+{{/each}}
+{{#if api}}
+api:
+ {{api}}
+{{/if}}
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+api.preserve_original_event: true
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_fields:
+ target: "_conf"
+ fields:
+ tenants:
+ {{#each tenant_names}}
+ {{this}}
+ {{/each}}
+{{#if processors}}
+{{processors}}
+{{/if}}
diff --git a/packages/o365/1.6.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/1.6.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..4920184ee0
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,1108 @@
+---
+description: Pipeline for Office 365 Audit logs
+
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - set:
+ field: event.kind
+ value: event
+ - append:
+ field: event.type
+ value: info
+ - append:
+ field: event.category
+ value: web
+ # General Schema
+ - date:
+ field: o365audit.CreationTime
+ formats:
+ - ISO8601
+ - rename:
+ field: o365audit.Id
+ target_field: event.id
+ ignore_missing: true
+ - rename:
+ field: o365audit.ClientIPAddress
+ target_field: client._temp
+ ignore_missing: true
+ - rename:
+ field: o365audit.ClientIP
+ target_field: client._temp
+ ignore_missing: true
+ if: ctx.client?._temp == null
+ - rename:
+ field: o365audit.ActorIpAddress
+ target_field: client._temp
+ ignore_missing: true
+ if: ctx.client?._temp == null
+ - convert:
+ field: o365audit.UserId
+ target_field: user.id
+ type: string
+ ignore_missing: true
+ - rename:
+ field: o365audit.Workload
+ target_field: event.provider
+ ignore_missing: true
+ - rename:
+ field: o365audit.Operation
+ target_field: event.action
+ ignore_missing: true
+ - rename:
+ field: o365audit.OrganizationId
+ target_field: organization.id
+ ignore_missing: true
+ - rename:
+ field: o365audit.UserAgent
+ target_field: user_agent.original
+ ignore_missing: true
+ - script:
+ if: ctx.o365audit?.RecordType != null
+ lang: painless
+ params:
+ "1": "ExchangeAdmin"
+ "2": "ExchangeItem"
+ "3": "ExchangeItemGroup"
+ "4": "SharePoint"
+ "6": "SharePointFileOperation"
+ "7": "OneDrive"
+ "8": "AzureActiveDirectory"
+ "9": "AzureActiveDirectoryAccountLogon"
+ "10": "DataCenterSecurityCmdlet"
+ "11": "ComplianceDLPSharePoint"
+ "12": "Sway"
+ "13": "ComplianceDLPExchange"
+ "14": "SharePointSharingOperation"
+ "15": "AzureActiveDirectoryStsLogon"
+ "16": "SkypeForBusinessPSTNUsage"
+ "17": "SkypeForBusinessUsersBlocked"
+ "18": "SecurityComplianceCenterEOPCmdlet"
+ "19": "ExchangeAggregatedOperation"
+ "20": "PowerBIAudit"
+ "21": "CRM"
+ "22": "Yammer"
+ "23": "SkypeForBusinessCmdlets"
+ "24": "Discovery"
+ "25": "MicrosoftTeams"
+ "28": "ThreatIntelligence"
+ "29": "MailSubmission"
+ "30": "MicrosoftFlow"
+ "31": "AeD"
+ "32": "MicrosoftStream"
+ "33": "ComplianceDLPSharePointClassification"
+ "34": "ThreatFinder"
+ "35": "Project"
+ "36": "SharePointListOperation"
+ "37": "SharePointCommentOperation"
+ "38": "DataGovernance"
+ "39": "Kaizala"
+ "40": "SecurityComplianceAlerts"
+ "41": "ThreatIntelligenceUrl"
+ "42": "SecurityComplianceInsights"
+ "43": "MIPLabel"
+ "44": "WorkplaceAnalytics"
+ "45": "PowerAppsApp"
+ "46": "PowerAppsPlan"
+ "47": "ThreatIntelligenceAtpContent"
+ "48": "LabelContentExplorer"
+ "49": "TeamsHealthcare"
+ "50": "ExchangeItemAggregated"
+ "51": "HygieneEvent"
+ "52": "DataInsightsRestApiAudit"
+ "53": "InformationBarrierPolicyApplication"
+ "54": "SharePointListItemOperation"
+ "55": "SharePointContentTypeOperation"
+ "56": "SharePointFieldOperation"
+ "57": "MicrosoftTeamsAdmin"
+ "58": "HRSignal"
+ "59": "MicrosoftTeamsDevice"
+ "60": "MicrosoftTeamsAnalytics"
+ "61": "InformationWorkerProtection"
+ "62": "Campaign"
+ "63": "DLPEndpoint"
+ "64": "AirInvestigation"
+ "65": "Quarantine"
+ "66": "MicrosoftForms"
+ "67": "ApplicationAudit"
+ "68": "ComplianceSupervisionExchange"
+ "69": "CustomerKeyServiceEncryption"
+ "70": "OfficeNative"
+ "71": "MipAutoLabelSharePointItem"
+ "72": "MipAutoLabelSharePointPolicyLocation"
+ "73": "MicrosoftTeamsShifts"
+ "75": "MipAutoLabelExchangeItem"
+ "76": "CortanaBriefing"
+ "78": "WDATPAlerts"
+ "82": "SensitivityLabelPolicyMatch"
+ "83": "SensitivityLabelAction"
+ "84": "SensitivityLabeledFileAction"
+ "85": "AttackSim"
+ "86": "AirManualInvestigation"
+ "87": "SecurityComplianceRBAC"
+ "88": "UserTraining"
+ "89": "AirAdminActionInvestigation"
+ "90": "MSTIC"
+ "91": "PhysicalBadgingSignal"
+ "93": "AipDiscover"
+ "94": "AipSensitivityLabelAction"
+ "95": "AipProtectionAction"
+ "96": "AipFileDeleted"
+ "97": "AipHeartBeat"
+ "98": "MCASAlerts"
+ "99": "OnPremisesFileShareScannerDlp"
+ "100": "OnPremisesSharePointScannerDlp"
+ "101": "ExchangeSearch"
+ "102": "SharePointSearch"
+ "103": "PrivacyInsights"
+ "105": "MyAnalyticsSettings"
+ "106": "SecurityComplianceUserChange"
+ "107": "ComplianceDLPExchangeClassification"
+ "109": "MipExactDataMatch"
+ "113": "MS365DCustomDetection"
+ "147": "CoreReportingSettings"
+ "148": "ComplianceConnector"
+ "174": "DataShareOperation"
+ "181": "EduDataLakeDownloadOperation"
+ source: >
+ def schemaId = ctx.o365audit.RecordType.toString();
+ def schema = params[schemaId];
+ if (schema != null) {
+ if (ctx.event == null) {
+ ctx.event = new HashMap();
+ }
+ ctx.event.code = schema;
+ }
+ - set:
+ field: event.outcome
+ value: success
+ if: 'ctx.o365audit?.ResultStatus != null && ["succeeded", "success", "partiallysucceeded", "true"].contains(ctx.o365audit?.ResultStatus.toLowerCase())'
+ - set:
+ field: event.outcome
+ value: failure
+ if: 'ctx.o365audit?.ResultStatus != null && ["failed", "false"].contains(ctx.o365audit?.ResultStatus.toLowerCase())'
+ - set:
+ field: event.outcome
+ value: success
+ if: ctx.event?.outcome == null
+ - script:
+ lang: painless
+ if: 'ctx.o365audit?.Parameters != null && ctx.o365audit?.Parameters instanceof List'
+ source: >
+ def newparams = new HashMap();
+ def oldparams = ctx.o365audit.Parameters;
+ for (int i = 0; i < oldparams.length; ++i) {
+ if (oldparams[i]["Value"] != null) {
+ newparams[oldparams[i]["Name"]] = oldparams[i]["Value"];
+ }
+ }
+ ctx.o365audit.Parameters = newparams;
+ - rename:
+ field: o365audit.Parameters
+ target_field: o365audit.Parameters._raw
+ if: 'ctx.o365audit?.Parameters != null && ctx.o365audit?.Parameters instanceof String'
+ - script:
+ lang: painless
+ if: 'ctx.o365audit?.ExtendedProperties != null && ctx.o365audit?.ExtendedProperties instanceof List'
+ source: >
+ def newparams = new HashMap();
+ def oldparams = ctx.o365audit.ExtendedProperties;
+ for (int i = 0; i < oldparams.length; ++i) {
+ if (oldparams[i]["Value"] != null) {
+ newparams[oldparams[i]["Name"]] = oldparams[i]["Value"];
+ }
+ }
+ ctx.o365audit.ExtendedProperties = newparams;
+ - rename:
+ field: o365audit.ExtendedProperties
+ target_field: o365audit.ExtendedProperties._raw
+ if: 'ctx.o365audit?.ExtendedProperties != null && ctx.o365audit?.ExtendedProperties instanceof String'
+ - script:
+ lang: painless
+ if: 'ctx.o365audit?.ModifiedProperties != null && ctx.o365audit?.ModifiedProperties instanceof List'
+ source: >
+ def newparams = new HashMap();
+ def oldparams = ctx.o365audit.ModifiedProperties;
+ for (int i = 0; i < oldparams.length; ++i) {
+ if (oldparams[i] instanceof Map && oldparams[i]["OldValue"] != null && oldparams[i]["NewValue"] != null) {
+ def validname = oldparams[i]["Name"].replace(" ","_").replace(".","_");
+ newparams[validname] = new HashMap();
+ newparams[validname]["NewValue"] = oldparams[i]["NewValue"];
+ newparams[validname]["OldValue"] = oldparams[i]["OldValue"];
+ }
+ if (oldparams[i] instanceof String) {
+ def validname = oldparams[i].replace(" ","_").replace(".","_");
+ newparams[validname] = new HashMap();
+ }
+ }
+ if (newparams.isEmpty()) {
+ ctx.o365audit.remove("ModifiedProperties");
+ return;
+ }
+ ctx.o365audit.ModifiedProperties = newparams;
+
+ - rename:
+ field: o365audit.ModifiedProperties
+ target_field: o365audit.ModifiedProperties._raw
+ if: 'ctx.o365audit?.ModifiedProperties != null && ctx.o365audit?.ModifiedProperties instanceof String'
+ - script:
+ lang: painless
+ if: 'ctx.o365audit?.AlertLinks != null && ctx.o365audit?.AlertLinks instanceof List'
+ source: >
+ def list = ctx.o365audit.AlertLinks;
+ def links = new ArrayList();
+ for (int i = 0; i < list.length; ++i) {
+ if (list[i] instanceof Map && list[i].containsKey("AlertLinkHref") && list[i]["AlertLinkHref"] != null && list[i]["AlertLinkHref"] instanceof String) {
+ links.add(list[i]["AlertLinkHref"]);
+ }
+ }
+ if (links.length == 0) {
+ ctx.o365audit.remove("AlertLinks");
+ return;
+ }
+ ctx.o365audit.AlertLinks = links;
+ - set:
+ field: event.severity
+ value: 1
+ if: ctx.o365audit?.Severity == "informational"
+ - set:
+ field: event.severity
+ value: 2
+ if: ctx.o365audit?.Severity == "low"
+ - set:
+ field: event.severity
+ value: 3
+ if: ctx.o365audit?.Severity == "medium"
+ - set:
+ field: event.severity
+ value: 4
+ if: ctx.o365audit?.Severity == "high"
+ # ExchangeAdmin Schema
+ - rename:
+ field: o365audit.OrganizationName
+ target_field: organization.name
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeAdmin"
+ - rename:
+ field: o365audit.OriginatingServer
+ target_field: server._temp
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeAdmin"
+ # ExchangeItem Schema
+ - rename:
+ field: o365audit.MailboxOwnerUPN
+ target_field: user.email
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeItem"
+ - convert:
+ field: o365audit.LogonUserSid
+ target_field: user.id
+ type: string
+ ignore_missing: true
+ if: 'ctx.user?.id == null && ctx.o365audit?.LogonUserSid != null && ctx.event?.code == "ExchangeItem"'
+ - rename:
+ field: o365audit.LogonUserDisplayName
+ target_field: user.full_name
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeItem"
+ - rename:
+ field: o365audit.OrganizationName
+ target_field: organization.name
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeItem"
+ - rename:
+ field: o365audit.OriginatingServer
+ target_field: server._temp
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeItem"
+ - rename:
+ field: o365audit.ClientIPAddress
+ target_field: client._temp
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeItem"
+ - rename:
+ field: o365audit.ClientProcessName
+ target_field: process.name
+ ignore_missing: true
+ if: ctx.event?.code == "ExchangeItem"
+ # AzureActiveDirectory Schema
+ - set:
+ field: user.target.id
+ copy_from: o365audit.ObjectId
+ if: ctx.event?.code == "AzureActiveDirectory"
+ ## AzureActiveDirectory Schema new user
+ - set:
+ field: event.action
+ value: added-user-account
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "Add user."'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "added-user-account"'
+ - append:
+ field: event.type
+ value: user
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "added-user-account"'
+ - append:
+ field: event.type
+ value: creation
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "added-user-account"'
+ ## AzureActiveDirectory Schema update user
+ - set:
+ field: event.action
+ value: modified-user-account
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "Update user."'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "modified-user-account"'
+ - append:
+ field: event.type
+ value: user
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "modified-user-account"'
+ - append:
+ field: event.type
+ value: change
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "modified-user-account"'
+ ## AzureActiveDirectory Schema delete user
+ - set:
+ field: event.action
+ value: deleted-user-account
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "Delete user."'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "deleted-user-account"'
+ - append:
+ field: event.type
+ value: user
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "deleted-user-account"'
+ - append:
+ field: event.type
+ value: deletion
+ if: 'ctx.event?.code == "AzureActiveDirectory" && ctx.event?.action == "deleted-user-account"'
+ # AzureActiveDirectoryStsLogon Schema
+ - append:
+ field: event.category
+ value: authentication
+ if: ctx.event?.code == "AzureActiveDirectoryStsLogon"
+ - append:
+ field: event.type
+ value: start
+ if: ctx.event?.code == "AzureActiveDirectoryStsLogon"
+ - append:
+ field: event.type
+ value: access
+ if: 'ctx.event?.code == "AzureActiveDirectoryStsLogon"'
+ # SharePointFileOperation Schema
+ - rename:
+ field: o365audit.ObjectId
+ target_field: url.original
+ ignore_missing: true
+ if: ctx.event?.code == "SharePointFileOperation"
+ - rename:
+ field: o365audit.SourceRelativeUrl
+ target_field: file.directory
+ ignore_missing: true
+ if: ctx.event?.code == "SharePointFileOperation"
+ - rename:
+ field: o365audit.SourceFileName
+ target_field: file.name
+ ignore_missing: true
+ if: ctx.event?.code == "SharePointFileOperation"
+ - rename:
+ field: o365audit.SourceFileExtension
+ target_field: file.extension
+ ignore_missing: true
+ if: ctx.event?.code == "SharePointFileOperation"
+ - append:
+ field: event.category
+ value: file
+ if: 'ctx.event?.action != null && ["FileAccessed", "FileDeleted", "FileDownloaded", "FileModified", "FileMoved", "FileRenamed", "FileRestored", "FileUploaded", "FolderCopied", "FolderCreated", "FolderDeleted", "FolderModified", "FolderMoved", "FolderRenamed", "FolderRestored"].contains(ctx.event?.action)'
+ - append:
+ field: event.category
+ value: configuration
+ if: ctx.event?.action == "ComplianceSettingChanged"
+ - append:
+ field: event.type
+ value: access
+ if: 'ctx.event?.action != null && ["FileAccessed", "FileDownloaded"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: change
+ if: 'ctx.event?.action != null && ["ComplianceSettingChanged", "FileModified", "FileMoved", "FileRenamed", "FileRestored", "FolderModified", "FolderMoved", "FolderRenamed", "FolderRestored"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: deletion
+ if: 'ctx.event?.action != null && ["FileDeleted", "FolderDeleted"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: creation
+ if: 'ctx.event?.action != null && ["FileUploaded", "FolderCopied", "FolderCreated"].contains(ctx.event?.action)'
+ # SecurityComplianceAlerts Schema
+ - rename:
+ field: o365audit.Comments
+ target_field: message
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - rename:
+ field: o365audit.Name
+ target_field: rule.name
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - rename:
+ field: o365audit.PolicyId
+ target_field: rule.id
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - rename:
+ field: o365audit.Category
+ target_field: rule.category
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - rename:
+ field: o365audit.EntityType
+ target_field: rule.ruleset
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - rename:
+ field: o365audit.AlertEntityId
+ target_field: rule.description
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - rename:
+ field: o365audit.AlertLinks
+ target_field: rule.reference
+ ignore_missing: true
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - set:
+ field: event.kind
+ value: alert
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - append:
+ field: event.category
+ value: authentication
+ if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category == "AccessGovernance"'
+ - append:
+ field: event.category
+ value: file
+ if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category != null && ["DataGovernance", "DataLossPrevention"].contains(ctx.o365audit?.Category)'
+ - append:
+ field: event.category
+ value: malware
+ if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category == "ThreatManagement"'
+ - append:
+ field: event.category
+ value: authentication
+ allow_duplicates: false
+ if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.o365audit?.Category != null && !["DataGovernance", "DataLossPrevention", "ThreatManagement", "AccessGovernance"].contains(ctx.o365audit?.Category)'
+ - append:
+ field: event.category
+ value: web
+ allow_duplicates: false
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - append:
+ field: event.type
+ value: info
+ allow_duplicates: false
+ if: ctx.event?.code == "SecurityComplianceAlerts"
+ - convert:
+ field: o365audit.AlertEntityId
+ target_field: user.id
+ type: string
+ ignore_missing: true
+ if: 'ctx.user?.id == null && ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset == "User"'
+ - rename:
+ field: o365audit.AlertEntityId
+ target_field: user.email
+ ignore_missing: true
+ if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset != null && ["Recipients", "Sender"].contains(ctx.rule?.ruleset)'
+ - rename:
+ field: o365audit.AlertEntityId
+ target_field: threat.technique.id
+ ignore_missing: true
+ if: 'ctx.event?.code == "SecurityComplianceAlerts" && ctx.rule?.ruleset == "MalwareFamily"'
+ # DLP Schema
+ - set:
+ field: event.kind
+ value: alert
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - append:
+ field: event.category
+ value: file
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - append:
+ field: event.type
+ value: access
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.SharePointMetaData.From
+ target_field: user.id
+ ignore_missing: true
+ if: 'ctx.user?.id == null && ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.SharePointMetaData.FileName
+ target_field: file.name
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.SharePointMetaData.FilePathUrl
+ target_field: url.original
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.SharePointMetaData.UniqueId
+ target_field: file.inode
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.SharePointMetaData.UniqueID
+ target_field: file.inode
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.SharePointMetaData.FileOwner
+ target_field: file.owner
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.ExchangeMetaData.From
+ target_field: source.user.email
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.ExchangeMetaData.Subject
+ target_field: message
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.PolicyId
+ target_field: rule.id
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - rename:
+ field: o365audit.PolicyName
+ target_field: rule.name
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ - date:
+ field: o365audit.SharePointMetaData.LastModifiedTime
+ target_field: file.mtime
+ formats:
+ - ISO8601
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code) && ctx.o365audit?.SharePointMetaData?.LastModifiedTime != null'
+ - script:
+ lang: painless
+ if: 'ctx.event?.code != null && ctx.o365audit?.ExchangeMetaData!= null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code)'
+ source: >
+ def fields = new def[] {"To", "CC", "BCC"};
+ if (ctx.destination == null) {
+ ctx.destination = new HashMap();
+ }
+ if (ctx.destination.user == null) {
+ ctx.destination.user = new HashMap();
+ }
+ ctx.destination.user.email = new ArrayList();
+ for (int i = 0; i < fields.length; ++i) {
+ if (ctx.o365audit.ExchangeMetaData instanceof Map && ctx.o365audit.ExchangeMetaData.containsKey(fields[i])) {
+ def emails = ctx.o365audit.ExchangeMetaData[fields[i]];
+ if (emails instanceof List){
+ for (int e = 0; e < emails.length; ++e) {
+ ctx.destination.user.email.add(emails[e]);
+ }
+ }
+ if (emails instanceof String){
+ ctx.destination.user.email.add(emails);
+ }
+ }
+ }
+ - rename:
+ field: o365audit.ExceptionInfo
+ target_field: o365audit.ExceptionInfo.Reason
+ ignore_missing: true
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code) && ctx.o365audit?.ExceptionInfo != null && ctx.o365audit?.ExceptionInfo instanceof String'
+ - script:
+ lang: painless
+ if: 'ctx.event?.code != null && ["ComplianceDLPSharePoint", "ComplianceDLPExchange"].contains(ctx.event?.code) && ctx.o365audit?.PolicyDetails != null'
+ source: >
+ int severityToCode(def x) {
+ if (x.toLowerCase() == "informational") {
+ return 1;
+ }
+ if (x.toLowerCase() == "low") {
+ return 2;
+ }
+ if (x.toLowerCase() == "medium") {
+ return 3;
+ }
+ if (x.toLowerCase() == "high") {
+ return 4;
+ }
+ return 0;
+ }
+ def policies = ctx.o365audit.PolicyDetails;
+ if (policies == null) {
+ return;
+ }
+ if (ctx.rule == null) {
+ ctx.rule = new HashMap();
+ }
+ if (ctx.rule.id == null) {
+ ctx.rule.id = new ArrayList();
+ }
+ if (ctx.rule.name == null) {
+ ctx.rule.name = new ArrayList();
+ }
+ def maxSeverity = 0;
+ def allowed = true;
+ for (int i = 0; i < policies.length && policies instanceof List; ++i) {
+ def rules = policies[i].Rules;
+ if (rules == null) {
+ continue;
+ }
+ for (int j = 0; j < rules.length; ++j) {
+ def rule = rules[j];
+ def id = rule.RuleId;
+ def name = rule.RuleName;
+ def sev = severityToCode(rule.Severity);
+ if (id != null && name != null) {
+ ctx.rule.id.add(id);
+ ctx.rule.name.add(name);
+ }
+ if (sev > maxSeverity) {
+ maxSeverity = sev;
+ }
+ if (allowed) {
+ if (rule.Actions != null && rule.Actions.contains("BlockAccess")) {
+ allowed = false;
+ }
+ }
+ }
+ }
+ if (maxSeverity > -1) {
+ ctx.event.severity = maxSeverity;
+ }
+ if (allowed) {
+ ctx.event.outcome = "success";
+ return;
+ }
+ if (ctx.event?.action == "DlpRuleUndo") {
+ ctx.event.outcome = "success";
+ return;
+ }
+ if (ctx.event?.action == "DlpInfo") {
+ ctx.event.outcome = "failure";
+ return;
+ }
+ if (ctx.o365audit?.ExceptionInfo != null && !ctx.o365audit?.ExceptionInfo.isEmpty()) {
+ ctx.event.outcome = "success";
+ return;
+ }
+ ctx.event.outcome = "failure";
+ # Yammer Schema
+ - rename:
+ field: o365audit.ActorUserId
+ target_field: user.email
+ ignore_missing: true
+ if: ctx.event?.code == "Yammer"
+ - convert:
+ field: o365audit.ActorYammerUserId
+ target_field: user.id
+ type: string
+ ignore_missing: true
+ if: 'ctx.user?.id == null && ctx.event?.code == "Yammer"'
+ - rename:
+ field: o365audit.FileId
+ target_field: file.inode
+ ignore_missing: true
+ if: ctx.event?.code == "Yammer"
+ - rename:
+ field: o365audit.FileName
+ target_field: file.name
+ ignore_missing: true
+ if: ctx.event?.code == "Yammer"
+ - rename:
+ field: o365audit.GroupName
+ target_field: group.name
+ ignore_missing: true
+ if: ctx.event?.code == "Yammer"
+ - rename:
+ field: o365audit.TargetUserId
+ target_field: destination.user.email
+ ignore_missing: true
+ if: ctx.event?.code == "Yammer"
+ - rename:
+ field: o365audit.TargetYammerUserId
+ target_field: destination.user.id
+ ignore_missing: true
+ if: ctx.event?.code == "Yammer"
+ - append:
+ field: event.category
+ value: configuration
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["NetworkConfigurationUpdated", "NetworkSecurityConfigurationUpdated", "SoftDeleteSettingsUpdated", "ProcessProfileFields", "SupervisorAdminToggled"].contains(ctx.event?.action)'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["NetworkSecurityConfigurationUpdated", "GroupCreation", "GroupDeletion", "NetworkUserSuspended", "UserSuspension"].contains(ctx.event?.action)'
+ - append:
+ field: event.category
+ value: file
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["FileCreated", "FileDownloaded", "FileShared", "FileUpdateDescription", "FileUpdateName", "FileVisited"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: change
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["NetworkConfigurationUpdated", "NetworkSecurityConfigurationUpdated", "SoftDeleteSettingsUpdated", "ProcessProfileFields", "SupervisorAdminToggled"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: admin
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action == "NetworkSecurityConfigurationUpdated"'
+ - append:
+ field: event.type
+ value: creation
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["FileCreated", "GroupCreation", "FileUpdateName"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: deletion
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action == "GroupDeletion"'
+ - append:
+ field: event.type
+ value: access
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["FileDownloaded", "FileShared", "FileUpdateDescription", "FileVisited"].contains(ctx.event?.action)'
+ - append:
+ field: event.type
+ value: group
+ if: 'ctx.event?.code == "Yammer" && ctx.event?.action != null && ["GroupCreation", "GroupDeletion"].contains(ctx.event?.action)'
+ # Teams Schema
+ - set:
+ field: event.action
+ value: added-group-account-to
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "TeamCreated"'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-group-account-to"'
+ - append:
+ field: event.type
+ value: group
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-group-account-to"'
+ - append:
+ field: event.type
+ value: creation
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-group-account-to"'
+ - rename:
+ field: o365audit.TeamName
+ target_field: group.name
+ ignore_missing: true
+ if: ctx.event?.code == "MicrosoftTeams"
+ - set:
+ field: event.action
+ value: added-users-to-group
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "MemberAdded"'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-users-to-group"'
+ - append:
+ field: event.type
+ value: group
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-users-to-group"'
+ - append:
+ field: event.type
+ value: change
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "added-users-to-group"'
+ - set:
+ field: event.action
+ value: deleted-user-account
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "Delete user."'
+ - append:
+ field: event.category
+ value: iam
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+ - append:
+ field: event.type
+ value: user
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+ - append:
+ field: event.type
+ value: deletion
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+ - rename:
+ field: o365audit.ObjectId
+ target_field: user.target.id
+ ignore_missing: true
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.event?.action == "deleted-user-account"'
+ - script:
+ lang: painless
+ if: 'ctx.event?.code == "MicrosoftTeams" && ctx.o365audit?.Members != null && ctx.o365audit.Members instanceof List'
+ source: >
+ def members = ctx.o365audit?.Members;
+ if (ctx.related == null) {
+ ctx.related = new HashMap();
+ }
+ if (ctx.related.user == null) {
+ ctx.related.user = new ArrayList();
+ }
+ for (int i = 0; i < members.length; ++i) {
+ if (members[i] instanceof Map && members[i].containsKey("UPN") && !members[i]["UPN"].isEmpty()) {
+ ctx.related.user.add(members[i]["UPN"]);
+ }
+ }
+ - gsub:
+ field: client._temp
+ pattern: '::ffff:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)'
+ replacement: '$1'
+ ignore_missing: true
+ - grok:
+ field: client._temp
+ patterns:
+ - '%{IPANDPORTBRACKETS}'
+ - '^%{IP:client.address}$'
+ - '^\[%{IP:client.address}\]$'
+ - '%{IPANDPORT}'
+ - '^%{NOTSPACE:client.domain}$'
+ - '%{HOSTNAMEANDPORTBRACKETS}'
+ - '%{HOSTNAMEANDPORT}'
+ - '^\[%{HOSTNAMEANDIP}\]$'
+ - '^%{HOSTNAMEANDIP}$'
+ - '%{GREEDYDATA:client.address}'
+ pattern_definitions:
+ IPANDPORTBRACKETS: '^\[%{IP:client.address}\]:%{POSINT:client._port}'
+ IPANDPORT: '^%{IP:client.address}:%{POSINT:client._port}'
+ HOSTNAMEANDPORTBRACKETS: '^\[%{NOTSPACE:client.domain}\]:%{POSINT:client._port}'
+ HOSTNAMEANDPORT: '^%{NOTSPACE:client.domain}:%{POSINT:client._port}'
+ NOTCLOSINGPARENS: '[^)]*'
+ HOSTNAMEANDIP: '%{NOTSPACE:client.domain} \(%{NOTCLOSINGPARENS:client.address}\)'
+ if: 'ctx.client?._temp != null && !ctx.client?._temp.isEmpty()'
+ - gsub:
+ field: server._temp
+ pattern: "[\n\r]"
+ replacement: ""
+ ignore_missing: true
+ - grok:
+ field: server._temp
+ patterns:
+ - '^\[%{HOSTNAMEANDIP}\]$'
+ - '%{HOSTNAMEANDIP}'
+ - '%{GREEDYDATA:server.address}'
+ pattern_definitions:
+ NOTCLOSINGPARENS: '[^)]*'
+ HOSTNAMEANDIP: '%{NOTSPACE:server.domain} \(%{NOTCLOSINGPARENS:server.address}\)'
+ if: 'ctx.server?._temp != null && !ctx.server?._temp.isEmpty()'
+ ignore_failure: true
+ - convert:
+ field: client.address
+ target_field: client.ip
+ type: ip
+ ignore_failure: true
+ - convert:
+ field: client._port
+ target_field: client.port
+ type: long
+ ignore_missing: true
+ - convert:
+ field: server.address
+ target_field: server.ip
+ type: ip
+ ignore_failure: true
+ - remove:
+ field:
+ - client._port
+ - client._temp
+ - server._temp
+ ignore_missing: true
+ - set:
+ field: source.ip
+ copy_from: client.ip
+ if: ctx.client?.ip != null
+ - set:
+ field: source.port
+ copy_from: client.port
+ if: ctx.client?.port != null
+ - set:
+ field: destination.ip
+ copy_from: server.ip
+ if: ctx.server?.ip != null
+ - script:
+ lang: painless
+ if: 'ctx.user?.id != null && ctx.user?.id.contains("@")'
+ source: >
+ String[] splitmail = ctx.user.id.splitOnToken("@");
+ if (splitmail.length != 2) {
+ return;
+ }
+ ctx.user.email = ctx.user.id;
+ ctx.user.domain = splitmail[1];
+ ctx.user.name = splitmail[0];
+ - script:
+ lang: painless
+ if: 'ctx.user?.target?.id != null && ctx.user?.target?.id.contains("@")'
+ source: >
+ String[] splitmail = ctx.user.target.id.splitOnToken("@");
+ if (splitmail.length != 2) {
+ return;
+ }
+ ctx.user.target.email = ctx.user.target.id;
+ ctx.user.target.domain = splitmail[1];
+ ctx.user.target.name = splitmail[0];
+ - script:
+ lang: painless
+ if: 'ctx.source?.user?.id != null && ctx.source?.user?.id.contains("@")'
+ source: >
+ String[] splitmail = ctx.source.user.id.splitOnToken("@");
+ if (splitmail.length != 2) {
+ return;
+ }
+ ctx.source.user.email = ctx.source.user.id;
+ ctx.source.user.domain = splitmail[1];
+ ctx.source.user.name = splitmail[0];
+ - script:
+ lang: painless
+ if: 'ctx.destination?.user?.id != null && ctx.destination?.user?.id.contains("@")'
+ source: >
+ String[] splitmail = ctx.destination.user.id.splitOnToken("@");
+ if (splitmail.length != 2) {
+ return;
+ }
+ ctx.destination.user.email = ctx.destination.user.id;
+ ctx.destination.user.domain = splitmail[1];
+ ctx.destination.user.name = splitmail[0];
+ - set:
+ field: network.type
+ value: ipv6
+ if: 'ctx.client?.ip != null && ctx.client?.ip.contains(":")'
+ - set:
+ field: network.type
+ value: ipv4
+ if: 'ctx.network?.type == null && ctx.client?.ip != null'
+ - append:
+ field: related.ip
+ value: "{{client.ip}}"
+ allow_duplicates: false
+ if: ctx.client?.ip != null
+ - append:
+ field: related.ip
+ value: "{{server.ip}}"
+ allow_duplicates: false
+ if: ctx.server?.ip != null
+ - append:
+ field: related.user
+ value: "{{user.name}}"
+ allow_duplicates: false
+ if: ctx.user?.name != null
+ - append:
+ field: related.user
+ value: "{{user.target.name}}"
+ allow_duplicates: false
+ if: ctx.user?.target?.name != null
+ - append:
+ field: related.user
+ value: "{{file.owner}}"
+ allow_duplicates: false
+ if: ctx.file?.owner != null
+ - rename:
+ field: o365audit.ExtendedProperties.UserAgent
+ target_field: user_agent.original
+ ignore_missing: true
+ if: ctx.o365audit?.ExtendedProperties?.UserAgent != null
+ # Add Host and Organization fields
+ - lowercase:
+ field: organization.id
+ ignore_missing: true
+ - set:
+ field: host.id
+ copy_from: organization.id
+ if: ctx.organization?.id != null
+ - script:
+ lang: painless
+ if: 'ctx.organization?.id != null && ctx._conf?.tenants != null'
+ source: >
+ def conftenants = ctx._conf.tenants;
+ def orgid = ctx.organization.id;
+ if (conftenants instanceof Map && conftenants.containsKey(orgid)) {
+ ctx.organization.name = conftenants[orgid];
+ ctx.host.name = conftenants[orgid];
+ }
+ - set:
+ field: host.name
+ copy_from: organization.name
+ if: ctx.organization?.name != null && ctx.host?.name == null
+ - set:
+ field: host.name
+ copy_from: user.domain
+ if: ctx.user?.domain != null && ctx.host?.name == null
+ # Convert field values
+ - convert:
+ field: o365audit.AzureActiveDirectoryEventType
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.RecordType
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.UserType
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.Version
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.InternalLogonType
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.LogonType
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.ActorYammerUserId
+ type: string
+ ignore_missing: true
+ - convert:
+ field: o365audit.YammerNetworkId
+ type: string
+ ignore_missing: true
+ - rename:
+ field: o365audit
+ target_field: o365.audit
+ ignore_missing: true
+ - user_agent:
+ field: user_agent.original
+ ignore_missing: true
+ # IP Geolocation Lookup
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ # IP Autonomous System (AS) Lookup
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - remove:
+ field:
+ - _conf
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/o365/1.6.0/data_stream/audit/fields/agent.yml b/packages/o365/1.6.0/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..da4e652c53
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/o365/1.6.0/data_stream/audit/fields/base-fields.yml b/packages/o365/1.6.0/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..f43cebe668
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: o365
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: o365.audit
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/o365/1.6.0/data_stream/audit/fields/beats.yml b/packages/o365/1.6.0/data_stream/audit/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/o365/1.6.0/data_stream/audit/fields/ecs.yml b/packages/o365/1.6.0/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..2bf1d87305
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,338 @@
+- description: |-
+ Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: client.address
+ type: keyword
+- description: |-
+ The domain name of the client system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: client.domain
+ type: keyword
+- description: IP address of the client (IPv4 or IPv6).
+ name: client.ip
+ type: ip
+- description: Port of the client.
+ name: client.port
+ type: long
+- description: Unique container id.
+ name: container.id
+ type: keyword
+- description: IP address of the destination (IPv4 or IPv6).
+ name: destination.ip
+ type: ip
+- description: User email address.
+ name: destination.user.email
+ type: keyword
+- description: Unique identifier of the user.
+ name: destination.user.id
+ type: keyword
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ The action captured by the event.
+ This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
+ name: event.action
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ Identification code for this event, if one exists.
+ Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
+ name: event.code
+ type: keyword
+- description: Unique ID to describe the event.
+ name: event.id
+ type: keyword
+- description: |-
+ Timestamp when an event arrived in the central data store.
+ This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event.
+ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.
+ name: event.ingested
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
+ `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event.
+ Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective.
+ Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer.
+ Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.
+ name: event.outcome
+ type: keyword
+- description: |-
+ Source of the event.
+ Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
+ name: event.provider
+ type: keyword
+- description: |-
+ The numeric severity of the event according to your event source.
+ What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source.
+ The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`.
+ name: event.severity
+ type: long
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: Directory where the file is located. It should include the drive letter, when appropriate.
+ name: file.directory
+ type: keyword
+- description: |-
+ File extension, excluding the leading dot.
+ Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
+ name: file.extension
+ type: keyword
+- description: Inode representing the file in the filesystem.
+ name: file.inode
+ type: keyword
+- description: Last time the file content was modified.
+ name: file.mtime
+ type: date
+- description: Name of the file including the extension, without the directory.
+ name: file.name
+ type: keyword
+- description: File owner's username.
+ name: file.owner
+ type: keyword
+- description: Name of the group.
+ name: group.name
+ type: keyword
+- description: |-
+ Unique host id.
+ As hostname is not always unique, use values that are meaningful in your environment.
+ Example: The current usage of `beat.name`.
+ name: host.id
+ type: keyword
+- description: |-
+ Name of the host.
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
+ name: host.name
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
+ The field value must be normalized to lowercase for querying.
+ name: network.type
+ type: keyword
+- description: Unique identifier for the organization.
+ name: organization.id
+ type: keyword
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: organization.name
+ type: keyword
+- description: |-
+ Process name.
+ Sometimes called program name or similar.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: process.name
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All the user names or other user identifiers seen on the event.
+ name: related.user
+ type: keyword
+- description: A categorization value keyword used by the entity using the rule for detection of this event.
+ name: rule.category
+ type: keyword
+- description: The description of the rule generating the event.
+ name: rule.description
+ type: keyword
+- description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
+ name: rule.id
+ type: keyword
+- description: The name of the rule or signature generating the event.
+ name: rule.name
+ type: keyword
+- description: |-
+ Reference URL to additional information about the rule used to generate this event.
+ The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert.
+ name: rule.reference
+ type: keyword
+- description: Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+ name: rule.ruleset
+ type: keyword
+- description: |-
+ Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
+ Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
+ name: server.address
+ type: keyword
+- description: |-
+ The domain name of the server system.
+ This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.
+ name: server.domain
+ type: keyword
+- description: IP address of the server (IPv4 or IPv6).
+ name: server.ip
+ type: ip
+- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
+ name: source.as.number
+ type: long
+- description: Organization name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: source.as.organization.name
+ type: keyword
+- description: City name.
+ name: source.geo.city_name
+ type: keyword
+- description: Name of the continent.
+ name: source.geo.continent_name
+ type: keyword
+- description: Country ISO code.
+ name: source.geo.country_iso_code
+ type: keyword
+- description: Country name.
+ name: source.geo.country_name
+ type: keyword
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
+ type: geo_point
+- description: |-
+ User-defined description of a location, at the level of granularity they care about.
+ Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
+ Not typically used in automated geolocation.
+ name: source.geo.name
+ type: keyword
+- description: Region ISO code.
+ name: source.geo.region_iso_code
+ type: keyword
+- description: Region name.
+ name: source.geo.region_name
+ type: keyword
+- description: IP address of the source (IPv4 or IPv6).
+ name: source.ip
+ type: ip
+- description: Port of the source.
+ name: source.port
+ type: long
+- description: User email address.
+ name: source.user.email
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
+ name: threat.technique.id
+ type: keyword
+- description: |-
+ Unmodified original url as seen in the event source.
+ Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
+ This field is meant to represent the URL as it was observed, complete or not.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: url.original
+ type: wildcard
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: user.domain
+ type: keyword
+- description: User email address.
+ name: user.email
+ type: keyword
+- description: User's full name, if available.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.full_name
+ type: keyword
+- description: Unique identifier of the user.
+ name: user.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.name
+ type: keyword
+- description: |-
+ Name of the directory the user is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: user.target.domain
+ type: keyword
+- description: User email address.
+ name: user.target.email
+ type: keyword
+- description: User's full name, if available.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.target.full_name
+ type: keyword
+- description: |-
+ Name of the directory the group is a member of.
+ For example, an LDAP or Active Directory domain name.
+ name: user.target.group.domain
+ type: keyword
+- description: Unique identifier for the group on the system/platform.
+ name: user.target.group.id
+ type: keyword
+- description: Name of the group.
+ name: user.target.group.name
+ type: keyword
+- description: Unique identifier of the user.
+ name: user.target.id
+ type: keyword
+- description: Short name or login of the user.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user.target.name
+ type: keyword
+- description: Name of the device.
+ name: user_agent.device.name
+ type: keyword
+- description: Name of the user agent.
+ name: user_agent.name
+ type: keyword
+- description: Unparsed user_agent string.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.original
+ type: keyword
+- description: Operating system name, including the version or code name.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.os.full
+ type: keyword
+- description: Operating system name, without the version.
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: user_agent.os.name
+ type: keyword
+- description: Operating system version as a raw string.
+ name: user_agent.os.version
+ type: keyword
+- description: Version of the user agent.
+ name: user_agent.version
+ type: keyword
diff --git a/packages/o365/1.6.0/data_stream/audit/fields/fields.yml b/packages/o365/1.6.0/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..9a28d598c3
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/fields/fields.yml
@@ -0,0 +1,201 @@
+- name: o365.audit
+ type: group
+ fields:
+ - name: Actor
+ type: array
+ fields:
+ - name: ID
+ type: keyword
+ - name: Type
+ type: keyword
+ - name: ActorContextId
+ type: keyword
+ - name: ActorIpAddress
+ type: keyword
+ - name: ActorUserId
+ type: keyword
+ - name: ActorYammerUserId
+ type: keyword
+ - name: AlertEntityId
+ type: keyword
+ - name: AlertId
+ type: keyword
+ - name: AlertLinks
+ type: array
+ - name: AlertType
+ type: keyword
+ - name: AppId
+ type: keyword
+ - name: ApplicationDisplayName
+ type: keyword
+ - name: ApplicationId
+ type: keyword
+ - name: AzureActiveDirectoryEventType
+ type: keyword
+ - name: ExchangeMetaData.*
+ type: object
+ - name: Category
+ type: keyword
+ - name: ClientAppId
+ type: keyword
+ - name: ClientInfoString
+ type: keyword
+ - name: ClientIP
+ type: keyword
+ - name: ClientIPAddress
+ type: keyword
+ - name: ClientRequestId
+ type: keyword
+ - name: Comments
+ type: text
+ - name: CorrelationId
+ type: keyword
+ - name: CreationTime
+ type: keyword
+ - name: CustomUniqueId
+ type: boolean
+ - name: Data
+ type: keyword
+ - name: DataType
+ type: keyword
+ - name: EntityType
+ type: keyword
+ - name: ErrorNumber
+ type: keyword
+ - name: EventData
+ type: keyword
+ - name: EventSource
+ type: keyword
+ - name: ExceptionInfo.*
+ type: object
+ - name: ExtendedProperties.*
+ type: object
+ - name: ExternalAccess
+ type: boolean
+ - name: GroupName
+ type: keyword
+ - name: Id
+ type: keyword
+ - name: ImplicitShare
+ type: keyword
+ - name: IncidentId
+ type: keyword
+ - name: InternalLogonType
+ type: keyword
+ - name: InterSystemsId
+ type: keyword
+ - name: IntraSystemId
+ type: keyword
+ - name: Item.*
+ type: object
+ - name: Item.*.*
+ type: object
+ - name: ItemName
+ type: keyword
+ - name: ItemType
+ type: keyword
+ - name: ListId
+ type: keyword
+ - name: ListItemUniqueId
+ type: keyword
+ - name: LogonError
+ type: keyword
+ - name: LogonType
+ type: keyword
+ - name: LogonUserSid
+ type: keyword
+ - name: MailboxGuid
+ type: keyword
+ - name: MailboxOwnerMasterAccountSid
+ type: keyword
+ - name: MailboxOwnerSid
+ type: keyword
+ - name: MailboxOwnerUPN
+ type: keyword
+ - name: Members
+ type: array
+ - name: Members.*
+ type: object
+ - name: ModifiedProperties.*.*
+ type: object
+ - name: Name
+ type: keyword
+ - name: ObjectId
+ type: keyword
+ - name: Operation
+ type: keyword
+ - name: OrganizationId
+ type: keyword
+ - name: OrganizationName
+ type: keyword
+ - name: OriginatingServer
+ type: keyword
+ - name: Parameters.*
+ type: object
+ - name: PolicyDetails
+ type: array
+ - name: PolicyId
+ type: keyword
+ - name: RecordType
+ type: keyword
+ - name: ResultStatus
+ type: keyword
+ - name: SensitiveInfoDetectionIsIncluded
+ type: boolean
+ - name: SharePointMetaData.*
+ type: object
+ - name: SessionId
+ type: keyword
+ - name: Severity
+ type: keyword
+ - name: Site
+ type: keyword
+ - name: SiteUrl
+ type: keyword
+ - name: Source
+ type: keyword
+ - name: SourceFileExtension
+ type: keyword
+ - name: SourceFileName
+ type: keyword
+ - name: SourceRelativeUrl
+ type: keyword
+ - name: Status
+ type: keyword
+ - name: SupportTicketId
+ type: keyword
+ - name: Target
+ type: array
+ fields:
+ - name: ID
+ type: keyword
+ - name: Type
+ type: keyword
+ - name: TargetContextId
+ type: keyword
+ - name: TargetUserOrGroupName
+ type: keyword
+ - name: TargetUserOrGroupType
+ type: keyword
+ - name: TeamName
+ type: keyword
+ - name: TeamGuid
+ type: keyword
+ - name: UniqueSharingId
+ type: keyword
+ - name: UserAgent
+ type: keyword
+ - name: UserId
+ type: keyword
+ - name: UserKey
+ type: keyword
+ - name: UserType
+ type: keyword
+ - name: Version
+ type: keyword
+ - name: WebId
+ type: keyword
+ - name: Workload
+ type: keyword
+ - name: YammerNetworkId
+ type: keyword
diff --git a/packages/o365/1.6.0/data_stream/audit/manifest.yml b/packages/o365/1.6.0/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..2c1315f9c1
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/manifest.yml
@@ -0,0 +1,103 @@
+type: logs
+title: Office 365 audit logs
+streams:
+ - input: o365audit
+ title: "Collect Office 365 audit logs"
+ description: "Collect audit logs from Office 365 via the Management Activity API"
+ vars:
+ - name: application_id
+ type: text
+ title: Application (client) ID
+ multi: false
+ required: true
+ show_user: true
+ - name: client_secret
+ title: Client secret (API key)
+ type: password
+ multi: false
+ required: false
+ show_user: true
+ - name: certificate
+ type: text
+ title: Path to certificate file
+ multi: false
+ required: false
+ show_user: true
+ - name: key
+ type: text
+ title: Path to private key file
+ multi: false
+ required: false
+ show_user: true
+ - name: key_passphrase
+ type: text
+ title: Private key passphrase
+ multi: false
+ required: false
+ show_user: true
+ - name: tenants
+ type: text
+ multi: true
+ title: Directory (tenant) IDs
+ required: true
+ show_user: true
+ default:
+ - tenant-id
+ - name: tenant_names
+ type: text
+ multi: true
+ title: Directory (tenant) domains mapping
+ required: true
+ show_user: true
+ default:
+ - "tenant-id: domain-name"
+ - name: content_type
+ type: text
+ title: Content types
+ multi: true
+ default:
+ - "Audit.AzureActiveDirectory"
+ - "Audit.Exchange"
+ - "Audit.SharePoint"
+ - "Audit.General"
+ - "DLP.All"
+ required: true
+ show_user: true
+ - name: api
+ type: yaml
+ title: Advanced API settings
+ multi: false
+ required: false
+ show_user: false
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - o365-audit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ default: |-
+ #- add_fields:
+ # target: foo
+ # fields:
+ # bar: baz
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: o365audit.yml.hbs
diff --git a/packages/o365/1.6.0/data_stream/audit/sample_event.json b/packages/o365/1.6.0/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..72da4ab351
--- /dev/null
+++ b/packages/o365/1.6.0/data_stream/audit/sample_event.json
@@ -0,0 +1,111 @@
+{
+ "@timestamp": "2020-02-07T16:43:53.000Z",
+ "agent": {
+ "ephemeral_id": "14ad310a-30bb-45d4-9dd4-20f22267fbd5",
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "client": {
+ "address": "213.97.47.133",
+ "ip": "213.97.47.133"
+ },
+ "data_stream": {
+ "dataset": "o365.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "PageViewed",
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "code": "SharePoint",
+ "dataset": "o365.audit",
+ "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
+ "ingested": "2022-01-02T03:51:15Z",
+ "kind": "event",
+ "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"Operation\": \"PageViewed\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"RecordType\": 4}",
+ "outcome": "success",
+ "provider": "OneDrive",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
+ "name": "testsiem.onmicrosoft.com"
+ },
+ "input": {
+ "type": "o365audit"
+ },
+ "network": {
+ "type": "ipv4"
+ },
+ "o365": {
+ "audit": {
+ "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+ "CreationTime": "2020-02-07T16:43:53",
+ "CustomUniqueId": true,
+ "EventSource": "SharePoint",
+ "ItemType": "Page",
+ "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
+ "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
+ "RecordType": "4",
+ "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3",
+ "UserId": "asr@testsiem.onmicrosoft.com",
+ "UserKey": "i:0h.f|membership|1003200096971f55@live.com",
+ "UserType": "0",
+ "Version": "1",
+ "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30"
+ }
+ },
+ "organization": {
+ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
+ },
+ "related": {
+ "ip": [
+ "213.97.47.133"
+ ],
+ "user": [
+ "asr"
+ ]
+ },
+ "source": {
+ "ip": "213.97.47.133"
+ },
+ "tags": [
+ "forwarded",
+ "o365-audit",
+ "preserve_original_event"
+ ],
+ "user": {
+ "domain": "testsiem.onmicrosoft.com",
+ "email": "asr@testsiem.onmicrosoft.com",
+ "id": "asr@testsiem.onmicrosoft.com",
+ "name": "asr"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
+ "os": {
+ "full": "Mac OS X 10.14",
+ "name": "Mac OS X",
+ "version": "10.14"
+ },
+ "version": "72.0."
+ }
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/docs/README.md b/packages/o365/1.6.0/docs/README.md
new file mode 100755
index 0000000000..c345322f06
--- /dev/null
+++ b/packages/o365/1.6.0/docs/README.md
@@ -0,0 +1,374 @@
+# Microsoft Office 365 Integration
+
+This integration is for Microsoft Office 365. It currently supports user, admin, system, and policy actions and events from Office 365 and Azure AD activity logs exposed by the Office 365 Management Activity API.
+
+## Configuration
+
+To use this package you need to enable _Audit Log Search_ and register an application in Azure AD.
+
+Once this application is registered note the _Application (client) ID_ and the _Directory (tenant) ID._ Then configure the authentication in the _Certificates & Secrets_ section.
+
+To use client-secret authentication, add you secret to the _Client Secret (API key)_ field.
+
+To use certificate-based authentication, set the paths to the certificate and private key files. If the key file is protected with a passphrase, set this passphrase in the _Private key passphrase_ field. Paths must be absolute and files must exist in the host where _Elastic Agent_ is running.
+
+
+Add your tenant ID(s) to the _Directory (tenant) IDs_ field, then add the hostname that this tenant identifies to the _Directory (tenant) domains_ field. For example:
+- Directory IDs: `my-id-a` `my-id-b`
+- Directory domains: `a.onmicrosoft.com` `b.onmicrosoft.com`
+
+## Compatibility
+
+The `ingest-geoip` and `ingest-user_agent` Elasticsearch plugins are required to run this module.
+
+## Logs
+
+### Audit
+
+Uses the Office 365 Management Activity API to retrieve audit messages from Office 365 and Azure AD activity logs. These are the same logs that are available under Audit Log Search in the Security and Compliance Center.
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2020-02-07T16:43:53.000Z",
+ "agent": {
+ "ephemeral_id": "14ad310a-30bb-45d4-9dd4-20f22267fbd5",
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "client": {
+ "address": "213.97.47.133",
+ "ip": "213.97.47.133"
+ },
+ "data_stream": {
+ "dataset": "o365.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "PageViewed",
+ "agent_id_status": "verified",
+ "category": [
+ "web"
+ ],
+ "code": "SharePoint",
+ "dataset": "o365.audit",
+ "id": "99d005e6-a4c6-46fd-117c-08d7abeceab5",
+ "ingested": "2022-01-02T03:51:15Z",
+ "kind": "event",
+ "original": "{\"ListItemUniqueId\": \"59a8433d-9bb8-cfef-6edc-4c0fc8b86875\", \"ItemType\": \"Page\", \"Workload\": \"OneDrive\", \"OrganizationId\": \"b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd\", \"UserId\": \"asr@testsiem.onmicrosoft.com\", \"CreationTime\": \"2020-02-07T16:43:53\", \"Site\": \"d5180cfc-3479-44d6-b410-8c985ac894e3\", \"ClientIP\": \"213.97.47.133\", \"WebId\": \"8c5c94bb-8396-470c-87d7-8999f440cd30\", \"UserType\": 0, \"Version\": 1, \"EventSource\": \"SharePoint\", \"UserAgent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0\", \"UserKey\": \"i:0h.f|membership|1003200096971f55@live.com\", \"CustomUniqueId\": true, \"Operation\": \"PageViewed\", \"ObjectId\": \"https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx\", \"Id\": \"99d005e6-a4c6-46fd-117c-08d7abeceab5\", \"CorrelationId\": \"622b339f-4000-a000-f25f-92b3478c7a25\", \"RecordType\": 4}",
+ "outcome": "success",
+ "provider": "OneDrive",
+ "type": [
+ "info"
+ ]
+ },
+ "host": {
+ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd",
+ "name": "testsiem.onmicrosoft.com"
+ },
+ "input": {
+ "type": "o365audit"
+ },
+ "network": {
+ "type": "ipv4"
+ },
+ "o365": {
+ "audit": {
+ "CorrelationId": "622b339f-4000-a000-f25f-92b3478c7a25",
+ "CreationTime": "2020-02-07T16:43:53",
+ "CustomUniqueId": true,
+ "EventSource": "SharePoint",
+ "ItemType": "Page",
+ "ListItemUniqueId": "59a8433d-9bb8-cfef-6edc-4c0fc8b86875",
+ "ObjectId": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/_layouts/15/onedrive.aspx",
+ "RecordType": "4",
+ "Site": "d5180cfc-3479-44d6-b410-8c985ac894e3",
+ "UserId": "asr@testsiem.onmicrosoft.com",
+ "UserKey": "i:0h.f|membership|1003200096971f55@live.com",
+ "UserType": "0",
+ "Version": "1",
+ "WebId": "8c5c94bb-8396-470c-87d7-8999f440cd30"
+ }
+ },
+ "organization": {
+ "id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd"
+ },
+ "related": {
+ "ip": [
+ "213.97.47.133"
+ ],
+ "user": [
+ "asr"
+ ]
+ },
+ "source": {
+ "ip": "213.97.47.133"
+ },
+ "tags": [
+ "forwarded",
+ "o365-audit",
+ "preserve_original_event"
+ ],
+ "user": {
+ "domain": "testsiem.onmicrosoft.com",
+ "email": "asr@testsiem.onmicrosoft.com",
+ "id": "asr@testsiem.onmicrosoft.com",
+ "name": "asr"
+ },
+ "user_agent": {
+ "device": {
+ "name": "Mac"
+ },
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0",
+ "os": {
+ "full": "Mac OS X 10.14",
+ "name": "Mac OS X",
+ "version": "10.14"
+ },
+ "version": "72.0."
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.user.email | User email address. | keyword |
+| destination.user.id | Unique identifier of the user. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword |
+| file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| file.inode | Inode representing the file in the filesystem. | keyword |
+| file.mtime | Last time the file content was modified. | date |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.owner | File owner's username. | keyword |
+| group.name | Name of the group. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| o365.audit.Actor.ID | | keyword |
+| o365.audit.Actor.Type | | keyword |
+| o365.audit.ActorContextId | | keyword |
+| o365.audit.ActorIpAddress | | keyword |
+| o365.audit.ActorUserId | | keyword |
+| o365.audit.ActorYammerUserId | | keyword |
+| o365.audit.AlertEntityId | | keyword |
+| o365.audit.AlertId | | keyword |
+| o365.audit.AlertLinks | | array |
+| o365.audit.AlertType | | keyword |
+| o365.audit.AppId | | keyword |
+| o365.audit.ApplicationDisplayName | | keyword |
+| o365.audit.ApplicationId | | keyword |
+| o365.audit.AzureActiveDirectoryEventType | | keyword |
+| o365.audit.Category | | keyword |
+| o365.audit.ClientAppId | | keyword |
+| o365.audit.ClientIP | | keyword |
+| o365.audit.ClientIPAddress | | keyword |
+| o365.audit.ClientInfoString | | keyword |
+| o365.audit.ClientRequestId | | keyword |
+| o365.audit.Comments | | text |
+| o365.audit.CorrelationId | | keyword |
+| o365.audit.CreationTime | | keyword |
+| o365.audit.CustomUniqueId | | boolean |
+| o365.audit.Data | | keyword |
+| o365.audit.DataType | | keyword |
+| o365.audit.EntityType | | keyword |
+| o365.audit.ErrorNumber | | keyword |
+| o365.audit.EventData | | keyword |
+| o365.audit.EventSource | | keyword |
+| o365.audit.ExceptionInfo.\* | | object |
+| o365.audit.ExchangeMetaData.\* | | object |
+| o365.audit.ExtendedProperties.\* | | object |
+| o365.audit.ExternalAccess | | boolean |
+| o365.audit.GroupName | | keyword |
+| o365.audit.Id | | keyword |
+| o365.audit.ImplicitShare | | keyword |
+| o365.audit.IncidentId | | keyword |
+| o365.audit.InterSystemsId | | keyword |
+| o365.audit.InternalLogonType | | keyword |
+| o365.audit.IntraSystemId | | keyword |
+| o365.audit.Item.\* | | object |
+| o365.audit.Item.\*.\* | | object |
+| o365.audit.ItemName | | keyword |
+| o365.audit.ItemType | | keyword |
+| o365.audit.ListId | | keyword |
+| o365.audit.ListItemUniqueId | | keyword |
+| o365.audit.LogonError | | keyword |
+| o365.audit.LogonType | | keyword |
+| o365.audit.LogonUserSid | | keyword |
+| o365.audit.MailboxGuid | | keyword |
+| o365.audit.MailboxOwnerMasterAccountSid | | keyword |
+| o365.audit.MailboxOwnerSid | | keyword |
+| o365.audit.MailboxOwnerUPN | | keyword |
+| o365.audit.Members | | array |
+| o365.audit.Members.\* | | object |
+| o365.audit.ModifiedProperties.\*.\* | | object |
+| o365.audit.Name | | keyword |
+| o365.audit.ObjectId | | keyword |
+| o365.audit.Operation | | keyword |
+| o365.audit.OrganizationId | | keyword |
+| o365.audit.OrganizationName | | keyword |
+| o365.audit.OriginatingServer | | keyword |
+| o365.audit.Parameters.\* | | object |
+| o365.audit.PolicyDetails | | array |
+| o365.audit.PolicyId | | keyword |
+| o365.audit.RecordType | | keyword |
+| o365.audit.ResultStatus | | keyword |
+| o365.audit.SensitiveInfoDetectionIsIncluded | | boolean |
+| o365.audit.SessionId | | keyword |
+| o365.audit.Severity | | keyword |
+| o365.audit.SharePointMetaData.\* | | object |
+| o365.audit.Site | | keyword |
+| o365.audit.SiteUrl | | keyword |
+| o365.audit.Source | | keyword |
+| o365.audit.SourceFileExtension | | keyword |
+| o365.audit.SourceFileName | | keyword |
+| o365.audit.SourceRelativeUrl | | keyword |
+| o365.audit.Status | | keyword |
+| o365.audit.SupportTicketId | | keyword |
+| o365.audit.Target.ID | | keyword |
+| o365.audit.Target.Type | | keyword |
+| o365.audit.TargetContextId | | keyword |
+| o365.audit.TargetUserOrGroupName | | keyword |
+| o365.audit.TargetUserOrGroupType | | keyword |
+| o365.audit.TeamGuid | | keyword |
+| o365.audit.TeamName | | keyword |
+| o365.audit.UniqueSharingId | | keyword |
+| o365.audit.UserAgent | | keyword |
+| o365.audit.UserId | | keyword |
+| o365.audit.UserKey | | keyword |
+| o365.audit.UserType | | keyword |
+| o365.audit.Version | | keyword |
+| o365.audit.WebId | | keyword |
+| o365.audit.Workload | | keyword |
+| o365.audit.YammerNetworkId | | keyword |
+| organization.id | Unique identifier for the organization. | keyword |
+| organization.name | Organization name. | keyword |
+| organization.name.text | Multi-field of `organization.name`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
+| rule.description | The description of the rule generating the event. | keyword |
+| rule.id | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | keyword |
+| rule.name | The name of the rule or signature generating the event. | keyword |
+| rule.reference | Reference URL to additional information about the rule used to generate this event. The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. | keyword |
+| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
+| server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| server.domain | The domain name of the server system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| source.user.email | User email address. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.original.text | Multi-field of `url.original`. | match_only_text |
+| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.email | User email address. | keyword |
+| user.full_name | User's full name, if available. | keyword |
+| user.full_name.text | Multi-field of `user.full_name`. | match_only_text |
+| user.id | Unique identifier of the user. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user.name.text | Multi-field of `user.name`. | match_only_text |
+| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.email | User email address. | keyword |
+| user.target.full_name | User's full name, if available. | keyword |
+| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text |
+| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword |
+| user.target.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.target.group.name | Name of the group. | keyword |
+| user.target.id | Unique identifier of the user. | keyword |
+| user.target.name | Short name or login of the user. | keyword |
+| user.target.name.text | Multi-field of `user.target.name`. | match_only_text |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.original.text | Multi-field of `user_agent.original`. | match_only_text |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.full.text | Multi-field of `user_agent.os.full`. | match_only_text |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.name.text | Multi-field of `user_agent.os.name`. | match_only_text |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
+
diff --git a/packages/o365/1.6.0/img/filebeat-o365-audit.png b/packages/o365/1.6.0/img/filebeat-o365-audit.png
new file mode 100755
index 0000000000..a2413e7b90
Binary files /dev/null and b/packages/o365/1.6.0/img/filebeat-o365-audit.png differ
diff --git a/packages/o365/1.6.0/img/filebeat-o365-azure-permissions.png b/packages/o365/1.6.0/img/filebeat-o365-azure-permissions.png
new file mode 100755
index 0000000000..19a98e687a
Binary files /dev/null and b/packages/o365/1.6.0/img/filebeat-o365-azure-permissions.png differ
diff --git a/packages/o365/1.6.0/img/logo-integrations-microsoft-365.svg b/packages/o365/1.6.0/img/logo-integrations-microsoft-365.svg
new file mode 100755
index 0000000000..3763f267ff
--- /dev/null
+++ b/packages/o365/1.6.0/img/logo-integrations-microsoft-365.svg
@@ -0,0 +1,16 @@
+
+
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..a261099e07
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/dashboard/o365-712e2c00-685d-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,54 @@
+{
+ "attributes": {
+ "description": "Sample dashboard for Office 365 Management Activity events",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"title\":\"Total audit events\"},\"gridData\":{\"h\":6,\"i\":\"b6942e2a-81dc-40e4-a932-8b7a864b28bc\",\"w\":10,\"x\":0,\"y\":0},\"panelIndex\":\"b6942e2a-81dc-40e4-a932-8b7a864b28bc\",\"panelRefName\":\"panel_0\",\"title\":\"Total audit events\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"Event histogram by service\"},\"gridData\":{\"h\":14,\"i\":\"9673e6df-4b1e-4771-b1c6-c41c9bfc7272\",\"w\":38,\"x\":10,\"y\":0},\"panelIndex\":\"9673e6df-4b1e-4771-b1c6-c41c9bfc7272\",\"panelRefName\":\"panel_1\",\"title\":\"Event histogram by service\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"colors\":{\"alert\":\"#EF843C\",\"event\":\"#7EB26D\"},\"legendOpen\":true,\"title\":\"Events by type\",\"vis\":{\"colors\":{\"alert\":\"#E24D42\",\"event\":\"#7EB26D\"},\"legendOpen\":true}},\"gridData\":{\"h\":8,\"i\":\"70ab7239-c65c-41da-8242-da61750745d7\",\"w\":10,\"x\":0,\"y\":6},\"panelIndex\":\"70ab7239-c65c-41da-8242-da61750745d7\",\"panelRefName\":\"panel_2\",\"title\":\"Events by type\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"},\"legendOpen\":false,\"title\":\"Top users by authentication failures\",\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"},\"legendOpen\":true}},\"gridData\":{\"h\":17,\"i\":\"775ced7d-7c58-44bc-8d4e-2a757d2c218c\",\"w\":10,\"x\":0,\"y\":14},\"panelIndex\":\"775ced7d-7c58-44bc-8d4e-2a757d2c218c\",\"panelRefName\":\"panel_3\",\"title\":\"Top users by authentication failures\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"hiddenLayers\":[],\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":42.68781,\"lon\":-48.94209,\"zoom\":1.88},\"openTOCDetails\":[],\"title\":\"Client geolocation map\"},\"gridData\":{\"h\":17,\"i\":\"15fe975b-6b8b-4445-872d-e06c041e2c31\",\"w\":38,\"x\":10,\"y\":14},\"panelIndex\":\"15fe975b-6b8b-4445-872d-e06c041e2c31\",\"panelRefName\":\"panel_4\",\"title\":\"Client geolocation map\",\"version\":\"7.6.0\"},{\"embeddableConfig\":{\"title\":\"Data Loss Prevention alerts\"},\"gridData\":{\"h\":13,\"i\":\"481f1778-caad-4971-b598-bb61c94bf998\",\"w\":48,\"x\":0,\"y\":31},\"panelIndex\":\"481f1778-caad-4971-b598-bb61c94bf998\",\"panelRefName\":\"panel_5\",\"title\":\"Data Loss Prevention alerts\",\"version\":\"7.6.0\"}]",
+ "timeRestore": false,
+ "title": "[Logs o365] Audit Dashboard",
+ "version": 1
+ },
+ "id": "o365-712e2c00-685d-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "dashboard": "7.3.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "o365-0be1adb0-6860-11ea-8d6a-292ef5d68366",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "o365-8b033510-685a-11ea-8d6a-292ef5d68366",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "o365-d43c95a0-6864-11ea-8d6a-292ef5d68366",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "o365-897d0c70-6869-11ea-8d6a-292ef5d68366",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "o365-dbae13c0-685c-11ea-8d6a-292ef5d68366",
+ "name": "panel_4",
+ "type": "map"
+ },
+ {
+ "id": "o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366",
+ "name": "panel_5",
+ "type": "search"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/map/o365-dbae13c0-685c-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/map/o365-dbae13c0-685c-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..d7c061e5c4
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/map/o365-dbae13c0-685c-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,24 @@
+{
+ "attributes": {
+ "description": "",
+ "layerListJSON": "[{\"alpha\":1,\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"isAutoSelect\":true,\"type\":\"EMS_TMS\"},\"style\":{},\"type\":\"VECTOR_TILE\",\"visible\":true},{\"alpha\":0.75,\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"maxZoom\":24,\"minZoom\":0,\"sourceDescriptor\":{\"applyGlobalQuery\":true,\"geoField\":\"source.geo.location\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"type\":\"ES_GEO_GRID\"},\"style\":{\"isTimeAware\":true,\"properties\":{\"fillColor\":{\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false},\"type\":\"DYNAMIC\"},\"icon\":{\"options\":{\"value\":\"airfield\"},\"type\":\"STATIC\"},\"iconOrientation\":{\"options\":{\"orientation\":0},\"type\":\"STATIC\"},\"iconSize\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"maxSize\":32,\"minSize\":8},\"type\":\"DYNAMIC\"},\"labelBorderColor\":{\"options\":{\"color\":\"#FFFFFF\"},\"type\":\"STATIC\"},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"labelColor\":{\"options\":{\"color\":\"#000000\"},\"type\":\"STATIC\"},\"labelSize\":{\"options\":{\"size\":14},\"type\":\"STATIC\"},\"labelText\":{\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}},\"type\":\"DYNAMIC\"},\"lineColor\":{\"options\":{\"color\":\"#FFF\"},\"type\":\"STATIC\"},\"lineWidth\":{\"options\":{\"size\":0},\"type\":\"STATIC\"},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}}},\"type\":\"VECTOR\"},\"type\":\"VECTOR\",\"visible\":true}]",
+ "mapStateJSON": "{\"center\":{\"lat\":30.87292,\"lon\":16.67387},\"filters\":[],\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"o365.audit\\\" \"},\"refreshConfig\":{\"interval\":0,\"isPaused\":false},\"timeFilters\":{\"from\":\"2020-02-05T03:25:59.045Z\",\"to\":\"2020-02-29T10:59:01.067Z\"},\"zoom\":2.88}",
+ "title": "Client Geo Map [Logs o365 audit]",
+ "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}"
+ },
+ "id": "o365-dbae13c0-685c-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "map": "7.9.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "layer_1_source_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "map"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..7c0cb148aa
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/search/o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,56 @@
+{
+ "attributes": {
+ "columns": [
+ "event.category",
+ "event.type",
+ "event.action",
+ "event.outcome",
+ "user.name",
+ "file.name",
+ "rule.name"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"data_stream.dataset\",\"negate\":false,\"params\":{\"query\":\"o365.audit\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"data_stream.dataset\":\"o365.audit\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\",\"key\":\"event.kind\",\"negate\":false,\"params\":{\"query\":\"alert\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\",\"key\":\"event.code\",\"negate\":false,\"params\":[\"ComplianceDLPSharePoint\",\"ComplianceDLPExchange\"],\"type\":\"phrases\",\"value\":\"ComplianceDLPSharePoint, ComplianceDLPExchange\"},\"query\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"event.code\":\"ComplianceDLPSharePoint\"}},{\"match_phrase\":{\"event.code\":\"ComplianceDLPExchange\"}}]}}}],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Data Loss Prevention [Logs o365]",
+ "version": 1
+ },
+ "id": "o365-8b8e5a10-6886-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "search": "7.4.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..aab59e7d3b
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/search/o365-fdc14020-6859-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,35 @@
+{
+ "attributes": {
+ "columns": [
+ "_source"
+ ],
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset:\\\"o365.audit\\\" \"},\"version\":true}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "Audit Events [Logs O365]",
+ "version": 1
+ },
+ "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "search": "7.4.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/visualization/o365-0be1adb0-6860-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/visualization/o365-0be1adb0-6860-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..2fdb82d937
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/visualization/o365-0be1adb0-6860-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Audit Event Count [Logs o365]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}},\"type\":\"vis_dimension\"}]},\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000,\"type\":\"range\"}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":40,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"Audit Event Count [Logs o365]\",\"type\":\"metric\"}"
+ },
+ "id": "o365-0be1adb0-6860-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "visualization": "7.8.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/visualization/o365-897d0c70-6869-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/visualization/o365-897d0c70-6869-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..ba90a63e18
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/visualization/o365-897d0c70-6869-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,33 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"event.category\",\"negate\":false,\"params\":{\"query\":\"authentication\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}}}],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Top Authentication Failures [Logs o365]",
+ "uiStateJSON": "{\"vis\":{\"colors\":{\"failure\":\"#E24D42\",\"success\":\"#629E51\"},\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"field\":\"event.outcome\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"asc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":2},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"user.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":15},\"schema\":\"split\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":false,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.outcome: Ascending\",\"params\":{}}],\"splitRow\":[{\"accessor\":1,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"user.name: Descending\",\"params\":{}}],\"x\":null,\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"labels\":{\"show\":true},\"legendPosition\":\"bottom\",\"orderBucketsBySum\":true,\"row\":true,\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":false,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":false,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Top Authentication Failures [Logs o365]\",\"type\":\"horizontal_bar\"}"
+ },
+ "id": "o365-897d0c70-6869-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "visualization": "7.8.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/visualization/o365-8b033510-685a-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/visualization/o365-8b033510-685a-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..6724878043
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/visualization/o365-8b033510-685a-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Events Histogram [Logs o365]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.code\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":50},\"schema\":\"group\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"drop_partials\":false,\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"scaleMetricValues\":false,\"timeRange\":{\"from\":\"2020-02-05T03:25:59.045Z\",\"to\":\"2020-02-29T10:59:01.067Z\"},\"useNormalizedEsInterval\":true},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"dimensions\":{\"series\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"\",\"origin\":\"http://localhost:5601\",\"pathname\":\"/app/kibana\"}}},\"label\":\"event.code: Descending\",\"params\":{}}],\"x\":{\"accessor\":1,\"aggType\":\"date_histogram\",\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"YYYY-MM-DD HH:mm\"}},\"label\":\"@timestamp per 12 hours\",\"params\":{\"bounds\":{\"max\":\"2020-02-29T10:59:01.067Z\",\"min\":\"2020-02-05T03:25:59.045Z\"},\"date\":true,\"format\":\"YYYY-MM-DD HH:mm\",\"interval\":\"PT12H\",\"intervalESUnit\":\"h\",\"intervalESValue\":12}},\"y\":[{\"accessor\":2,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Events Histogram [Logs o365]\",\"type\":\"histogram\"}"
+ },
+ "id": "o365-8b033510-685a-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "visualization": "7.8.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/kibana/visualization/o365-d43c95a0-6864-11ea-8d6a-292ef5d68366.json b/packages/o365/1.6.0/kibana/visualization/o365-d43c95a0-6864-11ea-8d6a-292ef5d68366.json
new file mode 100755
index 0000000000..ec9ec39027
--- /dev/null
+++ b/packages/o365/1.6.0/kibana/visualization/o365-d43c95a0-6864-11ea-8d6a-292ef5d68366.json
@@ -0,0 +1,28 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{}"
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Audit Event Type [Logs o365]",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"field\":\"event.kind\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"dimensions\":{\"metric\":{\"accessor\":0,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}},\"isDonut\":true,\"labels\":{\"last_level\":true,\"show\":false,\"truncate\":100,\"values\":true},\"legendPosition\":\"right\",\"type\":\"pie\"},\"title\":\"Audit Event Type [Logs o365]\",\"type\":\"pie\"}"
+ },
+ "id": "o365-d43c95a0-6864-11ea-8d6a-292ef5d68366",
+ "migrationVersion": {
+ "visualization": "7.8.0"
+ },
+ "namespaces": [
+ "default"
+ ],
+ "references": [
+ {
+ "id": "o365-fdc14020-6859-11ea-8d6a-292ef5d68366",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/o365/1.6.0/manifest.yml b/packages/o365/1.6.0/manifest.yml
new file mode 100755
index 0000000000..b9b95e46c4
--- /dev/null
+++ b/packages/o365/1.6.0/manifest.yml
@@ -0,0 +1,35 @@
+name: o365
+title: Office 365 Logs
+version: 1.6.0
+release: ga
+description: Collect and parse event logs from Office 365 with Elastic Agent.
+type: integration
+format_version: 1.0.0
+license: basic
+categories: [security]
+conditions:
+ kibana.version: ^7.14.0 || ^8.0.0
+icons:
+ - src: /img/logo-integrations-microsoft-365.svg
+ title: Microsoft Office 365
+ size: 216x216
+ type: image/svg+xml
+screenshots:
+ - src: /img/filebeat-o365-audit.png
+ title: Office 365 Dashboard
+ size: 1924x1409
+ type: image/png
+ - src: /img/filebeat-o365-azure-permissions.png
+ title: Azure Permissions
+ size: 2660x1030
+ type: image/png
+policy_templates:
+ - name: o365
+ title: Office 365 logs
+ description: Collect logs from Office 365
+ inputs:
+ - type: o365audit
+ title: "Collect Office 365 audit logs"
+ description: "Collect audit logs from Office 365 via the Management Activity API"
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/snyk/1.2.1/changelog.yml b/packages/snyk/1.2.1/changelog.yml
new file mode 100755
index 0000000000..c520a4c6da
--- /dev/null
+++ b/packages/snyk/1.2.1/changelog.yml
@@ -0,0 +1,31 @@
+# newer versions go on top
+- version: "1.2.1"
+ changes:
+ - description: Add correct field mapping for event.created
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3579
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2780
+- version: "1.1.2"
+ changes:
+ - description: Fix typo in config template for ignoring host enrichment
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3092
+- version: "1.1.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2439
+- version: "1.0.0"
+ changes:
+ - description: Initial draft of the package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2162
diff --git a/packages/snyk/1.2.1/data_stream/audit/agent/stream/httpjson.yml.hbs b/packages/snyk/1.2.1/data_stream/audit/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..c54c15ed13
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,63 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/{{audit_type}}/{{audit_id}}/audit?page=1&sortOrder=ASC
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+ target: header.Authorization
+ value: token {{ api_token }}
+- set:
+ target: url.params.to
+ value: '[[ formatDate (now) "2006-01-02" ]]'
+- set:
+ target: url.params.from
+ value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]'
+ default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "2006-01-02" ]]'
+cursor:
+ interval:
+ value: "-24h"
+
+request.body:
+ filters:
+{{#if userId }}
+ userId: {{ userId }}
+{{/if}}
+{{#if email_address }}
+ email: {{ email_address }}
+{{/if}}
+{{#if event }}
+ event: {{ event }}
+{{/if}}
+{{#if project_id }}
+ project_id: {{ project_id }}
+{{/if}}
+
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+ target: url.params.page
+ value: '[[add .last_response.page 1]]'
+ fail_on_template_error: true
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/snyk/1.2.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/1.2.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..7dc4d2a2e4
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,87 @@
+---
+description: Pipeline for Snyk Audit logs
+processors:
+- set:
+ field: ecs.version
+ value: 8.2.0
+- rename:
+ field: message
+ target_field: event.original
+- json:
+ field: event.original
+ target_field: json
+- fingerprint:
+ fields:
+ - json.orgId
+ - json.created
+ - json.event
+ target_field: _id
+- rename:
+ field: json
+ target_field: snyk.audit
+ ignore_missing: true
+- rename:
+ field: snyk.audit.groupId
+ target_field: user.group.id
+ ignore_missing: true
+- rename:
+ field: snyk.audit.orgId
+ target_field: snyk.audit.org_id
+ ignore_missing: true
+- rename:
+ field: snyk.audit.projectId
+ target_field: snyk.audit.project_id
+ ignore_missing: true
+- rename:
+ field: snyk.audit.userId
+ target_field: user.id
+ ignore_missing: true
+- rename:
+ field: snyk.audit.event
+ target_field: event.action
+ ignore_missing: true
+- date:
+ field: snyk.audit.created
+ target_field: "@timestamp"
+ formats:
+ - "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"
+- script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+ }
+ handleMap(ctx);
+- remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+- remove:
+ field:
+ - snyk.audit.created
+ - message
+ - json
+ ignore_missing: true
+on_failure:
+- set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/snyk/1.2.1/data_stream/audit/fields/agent.yml b/packages/snyk/1.2.1/data_stream/audit/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/snyk/1.2.1/data_stream/audit/fields/base-fields.yml b/packages/snyk/1.2.1/data_stream/audit/fields/base-fields.yml
new file mode 100755
index 0000000000..66c5548b5d
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: snyk
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: snyk.audit
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/snyk/1.2.1/data_stream/audit/fields/beats.yml b/packages/snyk/1.2.1/data_stream/audit/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/snyk/1.2.1/data_stream/audit/fields/ecs.yml b/packages/snyk/1.2.1/data_stream/audit/fields/ecs.yml
new file mode 100755
index 0000000000..295d0e1ad2
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/fields/ecs.yml
@@ -0,0 +1,34 @@
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Unique identifier for the group on the system/platform.
+ name: user.group.id
+ type: keyword
+- description: Unique identifier of the user.
+ name: user.id
+ type: keyword
diff --git a/packages/snyk/1.2.1/data_stream/audit/fields/fields.yml b/packages/snyk/1.2.1/data_stream/audit/fields/fields.yml
new file mode 100755
index 0000000000..8af2e4fe1e
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/fields/fields.yml
@@ -0,0 +1,21 @@
+- name: snyk.audit
+ type: group
+ description: >
+ Snyk audit logs.
+
+ fields:
+ - name: org_id
+ type: keyword
+ description: >
+ ID of the related Organization related to the event.
+
+ - name: project_id
+ type: keyword
+ description: >
+ ID of the project related to the event.
+
+ - name: content
+ type: flattened
+ description: >
+ Overview of the content that was changed, both old and new values.
+
diff --git a/packages/snyk/1.2.1/data_stream/audit/fields/package-fields.yml b/packages/snyk/1.2.1/data_stream/audit/fields/package-fields.yml
new file mode 100755
index 0000000000..a6f1fda959
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/fields/package-fields.yml
@@ -0,0 +1,17 @@
+- name: snyk
+ type: group
+ release: beta
+ description: >
+ Module for parsing Snyk project vulnerabilities.
+
+ fields:
+ - name: projects
+ type: flattened
+ description: >
+ Array with all related projects objects.
+
+ - name: related.projects
+ type: keyword
+ description: >
+ Array of all the related project ID's.
+
diff --git a/packages/snyk/1.2.1/data_stream/audit/manifest.yml b/packages/snyk/1.2.1/data_stream/audit/manifest.yml
new file mode 100755
index 0000000000..c6a1c5241a
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/manifest.yml
@@ -0,0 +1,97 @@
+title: "Collect Snyk Audit Logs"
+type: logs
+streams:
+ - input: httpjson
+ title: "Collect Snyk Audit Logs"
+ description: "Collect Snyk Audit Logs via the Snyk API"
+ enabled: true
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: audit_type
+ type: text
+ title: Audit Log Type
+ description: Type of Audit logs; "org" or "group"
+ multi: false
+ show_user: true
+ required: true
+ default: org
+ - name: audit_id
+ type: text
+ title: Group/Org ID
+ description: The ID of the Snyk group or organization
+ multi: false
+ show_user: true
+ required: true
+ default: ""
+ - name: userId
+ type: text
+ title: User ID Filter
+ description: User ID on which to filter events
+ multi: false
+ show_user: true
+ required: false
+ default: ""
+ - name: email_address
+ type: text
+ title: Email Address Filter
+ description: Email Address on which to filter events
+ multi: false
+ show_user: true
+ required: false
+ default: ""
+ - name: event
+ type: text
+ title: Event ID Filter
+ description: Event ID on which to filter events
+ multi: false
+ show_user: true
+ required: false
+ default: ""
+ - name: project_id
+ type: text
+ title: Project ID Filter
+ description: Project ID on which to filter events
+ multi: false
+ show_user: true
+ required: false
+ default: ""
+ - name: interval
+ type: text
+ title: Interval to query Snyk Events API
+ description: Go Duration syntax (eg. 10s)
+ multi: false
+ show_user: false
+ required: true
+ default: 10s
+ - name: first_interval
+ type: text
+ title: Initial interval to query Snyk Events API
+ description: Go Duration syntax (eg. 10s)
+ multi: false
+ show_user: false
+ required: true
+ default: 720h
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - snyk-audit
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/snyk/1.2.1/data_stream/audit/sample_event.json b/packages/snyk/1.2.1/data_stream/audit/sample_event.json
new file mode 100755
index 0000000000..d5854f7fa9
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/audit/sample_event.json
@@ -0,0 +1,57 @@
+{
+ "@timestamp": "2020-11-11T21:00:00.000Z",
+ "agent": {
+ "ephemeral_id": "d625d71f-f6c0-4b21-a59c-8e6c6ca1cfa1",
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "data_stream": {
+ "dataset": "snyk.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "org.user.invite",
+ "agent_id_status": "verified",
+ "created": "2022-01-02T10:21:09.808Z",
+ "dataset": "snyk.audit",
+ "ingested": "2022-01-02T10:21:10Z",
+ "original": "{\"content\":{\"email\":\"someone@snyk.io\",\"isAdmin\":false},\"created\":\"2020-11-11T21:00:00.000Z\",\"event\":\"org.user.invite\",\"groupId\":\"groupid123test-543123-54312sadf-123ad\",\"orgId\":\"orgid123test-5643asd234-asdfasdf\",\"projectId\":null,\"userId\":\"userid123test-234sdfa2-423sdfa-2134\"}"
+ },
+ "host": {
+ "name": "docker-fleet-agent"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "snyk": {
+ "audit": {
+ "content": {
+ "email": "someone@snyk.io",
+ "isAdmin": false
+ },
+ "org_id": "orgid123test-5643asd234-asdfasdf"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "snyk-audit"
+ ],
+ "user": {
+ "group": {
+ "id": "groupid123test-543123-54312sadf-123ad"
+ },
+ "id": "userid123test-234sdfa2-423sdfa-2134"
+ }
+}
\ No newline at end of file
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs b/packages/snyk/1.2.1/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..3a97ccd1d0
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,92 @@
+config_version: 2
+interval: {{ interval }}
+request.url: {{ url }}/reporting/issues/?page=1&perPage=10&sortBy=issueTitle&order=asc&groupBy=issue
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+ target: header.Authorization
+ value: token {{ api_token }}
+- set:
+ target: url.params.to
+ value: '[[ formatDate (now) "2006-01-02" ]]'
+- set:
+ target: url.params.from
+ value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]'
+ default: '[[ formatDate (now (parseDuration "-{{ first_interval }}")) "2006-01-02" ]]'
+cursor:
+ interval:
+ value: "-24h"
+request.timeout: 120s
+
+request.body:
+ filters:
+ orgs:
+{{#each orgs as |org i|}}
+ - {{org}}
+{{/each}}
+ severity:
+{{#each severity as |sev i|}}
+ - {{sev}}
+{{/each}}
+ exploitMaturity:
+{{#each exploit_maturity as |mat i|}}
+ - {{mat}}
+{{/each}}
+ types:
+{{#each types as |type i|}}
+ - {{type}}
+{{/each}}
+ languages:
+{{#each languages as |lang i|}}
+ - {{lang}}
+{{/each}}
+ projects:
+{{#each projects as |proj i|}}
+ - {{proj}}
+{{/each}}
+ identifier: {{ identifier }}
+ ignored: {{ ignored }}
+ patched: {{ patched }}
+ fixable: {{ fixable }}
+ isFixed: {{ is_fixed }}
+ isUpgradable: {{ is_upgradeable }}
+ isPatchable: {{ is_patchable }}
+ isPinnable: {{ is_pinnable }}
+ priorityScore:
+ min: {{ min_priority_score }}
+ max: {{ max_priority_score }}
+
+response.request_body_on_pagination: true
+response.pagination:
+- set:
+ target: url.params.page
+ value: '[[add .last_response.page 1]]'
+ fail_on_template_error: true
+
+response.split:
+ target: body.results
+
+
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..964bf43d67
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,200 @@
+---
+description: Pipeline for Snyk vulnerability logs
+processors:
+- set:
+ field: ecs.version
+ value: 8.2.0
+- rename:
+ field: message
+ target_field: event.original
+- json:
+ field: event.original
+ target_field: json
+- fingerprint:
+ fields:
+ - json.issue.id
+ target_field: _id
+- set:
+ field: vulnerability.classification
+ value: CVSS
+- set:
+ field: vulnerability.category
+ value: Github
+- set:
+ field: vulnerability.scanner.vendor
+ value: Snyk
+- rename:
+ field: json
+ target_field: snyk
+ ignore_missing: true
+- rename:
+ field: snyk.issue
+ target_field: snyk.vulnerabilities
+ ignore_missing: true
+- set:
+ field: vulnerability.score.version
+ value: "3.0"
+- set:
+ field: vulnerability.enumeration
+ value: CVE
+ if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE != null
+- set:
+ field: vulnerability.enumeration
+ value: SNYK
+ if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE == null && ctx?.snyk?.vulnerabilities?.identifiers?.ALTERNATIVE != null
+- rename:
+ field: snyk.vulnerabilities.description
+ target_field: vulnerability.description
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.identifiers.CVE
+ target_field: vulnerability.id
+ ignore_missing: true
+ if: ctx?.snyk?.vulnerabilities?.identifiers?.CVE != null
+- rename:
+ field: snyk.vulnerabilities.identifiers.ALTERNATIVE
+ target_field: vulnerability.id
+ ignore_missing: true
+ if: ctx?.vulnerability?.id == null && ctx?.snyk?.vulnerabilities?.identifiers?.ALTERNATIVE != null
+- convert:
+ field: snyk.vulnerabilities.cvssScore
+ target_field: vulnerability.score.base
+ type: float
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.severity
+ target_field: vulnerability.severity
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.CVSSv3
+ target_field: snyk.vulnerabilities.cvss3
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.disclosureTime
+ target_field: snyk.vulnerabilities.disclosure_time
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.exploitMaturity
+ target_field: snyk.vulnerabilities.exploit_maturity
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.identifiers.ALTERNATIVE
+ target_field: snyk.vulnerabilities.identifiers.alternative
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.identifiers.CWE
+ target_field: snyk.vulnerabilities.identifiers.cwe
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.isIgnored
+ target_field: snyk.vulnerabilities.is_ignored
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.isPatchable
+ target_field: snyk.vulnerabilities.is_patchable
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.isPatched
+ target_field: snyk.vulnerabilities.is_patched
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.isPinnable
+ target_field: snyk.vulnerabilities.is_pinnable
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.isUpgradable
+ target_field: snyk.vulnerabilities.is_upgradable
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.priorityScore
+ target_field: snyk.vulnerabilities.priority_score
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.publicationTime
+ target_field: snyk.vulnerabilities.publication_time
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.uniqueSeveritiesList
+ target_field: snyk.vulnerabilities.unique_severities_list
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.packageManager
+ target_field: snyk.vulnerabilities.package_manager
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.jiraIssueUrl
+ target_field: snyk.vulnerabilities.jira_issue_url
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.originalSeverity
+ target_field: snyk.vulnerabilities.original_severity
+ ignore_missing: true
+- rename:
+ field: snyk.isFixed
+ target_field: snyk.vulnerabilities.is_fixed
+ ignore_missing: true
+- rename:
+ field: snyk.introducedDate
+ target_field: snyk.vulnerabilities.introduced_date
+ ignore_missing: true
+- rename:
+ field: snyk.vulnerabilities.url
+ target_field: vulnerability.reference
+ ignore_missing: true
+- foreach:
+ field: snyk.vulnerabilities.patches
+ processor:
+ rename:
+ field: "{{ _ingest._value.modificationTime }}"
+ target_field: "{{ _ingest._value.modification_time }}"
+ ignore_missing: true
+ ignore_failure: true
+ if: ctx?.snyk?.vulnerabilities?.patches != null
+- foreach:
+ field: snyk.projects
+ processor:
+ append:
+ field: snyk.related.projects
+ value: "{{_ingest._value.name }}"
+ ignore_failure: true
+ ignore_failure: true
+ if: ctx?.snyk?.projects != null
+- script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0));
+ }
+ handleMap(ctx);
+- remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+- remove:
+ field:
+ - message
+ - snyk.vulnerabilities.cvssScore
+ ignore_missing: true
+on_failure:
+- set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/agent.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/agent.yml
new file mode 100755
index 0000000000..4d9a6f7b36
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/agent.yml
@@ -0,0 +1,114 @@
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/base-fields.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/base-fields.yml
new file mode 100755
index 0000000000..d3c9c6490e
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset name.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: snyk
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: snyk.vulnerabilities
+- name: "@timestamp"
+ type: date
+ description: Event timestamp.
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/beats.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/beats.yml
new file mode 100755
index 0000000000..cb44bb2944
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/beats.yml
@@ -0,0 +1,12 @@
+- name: input.type
+ type: keyword
+ description: Type of Filebeat input.
+- name: log.flags
+ type: keyword
+ description: Flags for the log file.
+- name: log.offset
+ type: long
+ description: Offset of the entry in the log file.
+- name: log.file.path
+ type: keyword
+ description: Path to the log file.
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/ecs.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/ecs.yml
new file mode 100755
index 0000000000..a7c206338e
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/ecs.yml
@@ -0,0 +1,67 @@
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex.
+ This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`.
+ doc_values: false
+ index: false
+ name: event.original
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: Unique identifier for the group on the system/platform.
+ name: user.group.id
+ type: keyword
+- description: Unique identifier of the user.
+ name: user.id
+ type: keyword
+- description: |-
+ The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
+ This field must be an array.
+ name: vulnerability.category
+ type: keyword
+- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
+ name: vulnerability.classification
+ type: keyword
+- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
+ name: vulnerability.enumeration
+ type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+ name: vulnerability.id
+ type: keyword
+- description: A resource that provides additional information, context, and mitigations for the identified vulnerability.
+ name: vulnerability.reference
+ type: keyword
+- description: The name of the vulnerability scanner vendor.
+ name: vulnerability.scanner.vendor
+ type: keyword
+- description: |-
+ Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+ Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+ name: vulnerability.score.base
+ type: float
+- description: |-
+ The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
+ CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+ name: vulnerability.score.version
+ type: keyword
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+ name: vulnerability.severity
+ type: keyword
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/fields.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/fields.yml
new file mode 100755
index 0000000000..98b7a315e2
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/fields.yml
@@ -0,0 +1,146 @@
+- name: snyk.vulnerabilities
+ type: group
+ description: >
+ Module for parsing Snyk project vulnerabilities.
+
+ fields:
+ - name: cvss3
+ type: keyword
+ description: >
+ CSSv3 scores.
+
+ - name: disclosure_time
+ type: date
+ description: >
+ The time this vulnerability was originally disclosed to the package maintainers.
+
+ - name: exploit_maturity
+ type: keyword
+ description: >
+ The Snyk exploit maturity level.
+
+ - name: id
+ type: keyword
+ description: >
+ The vulnerability reference ID.
+
+ - name: is_ignored
+ type: boolean
+ description: >
+ If the vulnerability report has been ignored.
+
+ - name: is_patchable
+ type: boolean
+ description: >
+ If vulnerability is fixable by using a Snyk supplied patch.
+
+ - name: is_patched
+ type: boolean
+ description: >
+ If the vulnerability has been patched.
+
+ - name: is_pinnable
+ type: boolean
+ description: >
+ If the vulnerability is fixable by pinning a transitive dependency.
+
+ - name: is_upgradable
+ type: boolean
+ description: >
+ If the vulnerability fixable by upgrading a dependency.
+
+ - name: language
+ type: keyword
+ description: >
+ The package's programming language.
+
+ - name: package
+ type: keyword
+ description: >
+ The package identifier according to its package manager.
+
+ - name: package_manager
+ type: keyword
+ description: >
+ The package manager.
+
+ - name: patches
+ type: flattened
+ description: >
+ Patches required to resolve the issue created by Snyk.
+
+ - name: priority_score
+ type: long
+ description: >
+ The CVS priority score.
+
+ - name: publication_time
+ type: date
+ description: >
+ The vulnerability publication time.
+
+ - name: jira_issue_url
+ type: keyword
+ description: >
+ Link to the related Jira issue.
+
+ - name: original_severity
+ type: long
+ description: >
+ The original severity of the vulnerability.
+
+ - name: reachability
+ type: keyword
+ description: >
+ If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable.
+
+ - name: title
+ type: keyword
+ description: >
+ The issue title.
+
+ - name: type
+ type: keyword
+ description: >
+ The issue type. Can be either "license" or "vulnerability".
+
+ - name: unique_severities_list
+ type: keyword
+ description: >
+ A list of related unique severities.
+
+ - name: version
+ type: keyword
+ description: >
+ The package version this issue is applicable to.
+
+ - name: introduced_date
+ type: date
+ description: >
+ The date the vulnerability was initially found.
+
+ - name: is_fixed
+ type: boolean
+ description: >
+ If the related vulnerability has been resolved.
+
+ - name: credit
+ type: keyword
+ description: >
+ Reference to the person that original found the vulnerability.
+
+ - name: semver
+ type: flattened
+ description: >
+ One or more semver ranges this issue is applicable to. The format varies according to package manager.
+
+ - name: identifiers.alternative
+ type: keyword
+ description: >
+ Additional vulnerability identifiers.
+
+ - name: identifiers.cwe
+ type: keyword
+ description: >
+ CWE vulnerability identifiers.
+
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/package-fields.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/package-fields.yml
new file mode 100755
index 0000000000..a6f1fda959
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/fields/package-fields.yml
@@ -0,0 +1,17 @@
+- name: snyk
+ type: group
+ release: beta
+ description: >
+ Module for parsing Snyk project vulnerabilities.
+
+ fields:
+ - name: projects
+ type: flattened
+ description: >
+ Array with all related projects objects.
+
+ - name: related.projects
+ type: keyword
+ description: >
+ Array of all the related project ID's.
+
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/manifest.yml b/packages/snyk/1.2.1/data_stream/vulnerabilities/manifest.yml
new file mode 100755
index 0000000000..f64689d6d2
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/manifest.yml
@@ -0,0 +1,200 @@
+title: "Collect Snyk Vulnerability Data"
+type: logs
+streams:
+ - input: httpjson
+ title: "Collect Snyk Vulnerability Data"
+ description: "Collect Snyk Vulnerability data via the Snyk API"
+ enabled: true
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: orgs
+ type: text
+ title: Orgs
+ multi: true
+ show_user: true
+ required: true
+ description: The list of org IDs to filter the results by
+ - name: severity
+ type: text
+ title: Severity
+ multi: true
+ show_user: true
+ required: false
+ description: The severity levels of issues to filter the results by
+ default:
+ - critical
+ - high
+ - medium
+ - low
+ - name: exploit_maturity
+ type: text
+ title: Exploit Maturity
+ multi: true
+ show_user: true
+ required: false
+ description: The exploit maturity levels of issues to filter the results by
+ default:
+ - mature
+ - proof-of-concept
+ - no-known-exploit
+ - no-data
+ - name: types
+ type: text
+ title: Types
+ multi: true
+ show_user: true
+ required: false
+ description: The type of issues to filter the results by
+ default:
+ - vuln
+ - license
+ - configuration
+ - name: languages
+ type: text
+ title: Languages
+ multi: true
+ show_user: true
+ required: false
+ description: The type of languages to filter the results by
+ default:
+ - javascript
+ - ruby
+ - java
+ - scala
+ - python
+ - golang
+ - php
+ - dotnet
+ - swift-objective-c
+ - elixir
+ - docker
+ - terraform
+ - kubernetes
+ - helm
+ - cloudformation
+ - name: projects
+ type: text
+ title: Projects
+ multi: true
+ show_user: true
+ required: false
+ description: The list of project IDs to filter issues by, max projects allowed is 1000
+ - name: identifier
+ type: text
+ title: Identifier
+ multi: false
+ show_user: true
+ required: false
+ description: Search term to filter issue name by, or an exact CVE or CWE
+ - name: ignored
+ type: bool
+ title: Ignored
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are ignored, if set to false, only include issues which are not ignored
+ - name: patched
+ type: bool
+ title: Patched
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are patched, if set to false, only include issues which are not patched
+ - name: fixable
+ type: bool
+ title: Fixable
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are fixable, if set to false, only include issues which are not fixable. An issue is fixable if it is either upgradable, patchable or pinnable. Also see isUpgradable, isPatchable and isPinnable filters.
+ - name: is_fixed
+ type: bool
+ title: Is Fixed
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are fixed, if set to false, only include issues which are not fixed
+ - name: is_upgradeable
+ type: bool
+ title: Is Upgradeable
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are upgradable, if set to false, only include issues which are not upgradable
+ - name: is_patchable
+ type: bool
+ title: Is Patchable
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are patchable, if set to false, only include issues which are not patchable
+ - name: is_pinnable
+ type: bool
+ title: Is Pinnable
+ multi: false
+ show_user: true
+ required: false
+ default: false
+ description: If set to true, only include issues which are pinnable, if set to false, only include issues which are not pinnable
+ - name: min_priority_score
+ type: text
+ title: Min Priority Score
+ multi: false
+ show_user: true
+ required: false
+ description: The priority score ranging between 0-1000
+ default: 0
+ - name: max_priority_score
+ type: text
+ title: Max Priority Score
+ multi: false
+ show_user: true
+ required: false
+ description: The priority score ranging between 0-1000
+ default: 1000
+ - name: interval
+ type: text
+ title: Interval to query Snyk Events API
+ description: Go Duration syntax (eg. 10s)
+ multi: false
+ show_user: false
+ required: true
+ default: 24h
+ - name: first_interval
+ type: text
+ title: Initial interval to query Snyk Events API
+ description: Go Duration syntax (eg. 10s)
+ multi: false
+ show_user: false
+ required: true
+ default: 24h
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - snyk-vulnerabilities
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/snyk/1.2.1/data_stream/vulnerabilities/sample_event.json b/packages/snyk/1.2.1/data_stream/vulnerabilities/sample_event.json
new file mode 100755
index 0000000000..4666a58964
--- /dev/null
+++ b/packages/snyk/1.2.1/data_stream/vulnerabilities/sample_event.json
@@ -0,0 +1,141 @@
+{
+ "@timestamp": "2022-01-02T10:21:46.407Z",
+ "agent": {
+ "ephemeral_id": "b6ade099-0307-4079-b700-1b29dfb838ff",
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "data_stream": {
+ "dataset": "snyk.vulnerabilities",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-01-02T10:21:46.407Z",
+ "dataset": "snyk.vulnerabilities",
+ "ingested": "2022-01-02T10:21:47Z",
+ "original": "{\"introducedDate\":\"2020-04-07\",\"isFixed\":false,\"issue\":{\"CVSSv3\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"credit\":[\"Snyk Security Research Team\"],\"cvssScore\":\"8.1\",\"disclosureTime\":\"2016-11-27T22:00:00.000Z\",\"exploitMaturity\":\"no-known-exploit\",\"id\":\"npm:ejs:20161128\",\"identifiers\":{\"ALTERNATIVE\":[\"SNYK-JS-EJS-10218\"],\"CVE\":[],\"CWE\":[\"CWE-94\"]},\"isIgnored\":false,\"isPatchable\":false,\"isPatched\":false,\"isPinnable\":false,\"isUpgradable\":false,\"jiraIssueUrl\":null,\"language\":\"js\",\"originalSeverity\":null,\"package\":\"ejs\",\"packageManager\":\"npm\",\"patches\":[{\"comments\":[],\"id\":\"patch:npm:ejs:20161128:0\",\"modificationTime\":\"2019-12-03T11:40:45.851976Z\",\"urls\":[\"https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch\"],\"version\":\"\\u003c2.5.3 \\u003e=2.2.4\"}],\"priorityScore\":4.05,\"publicationTime\":\"2016-11-28T18:44:12.000Z\",\"reachability\":\"No Info\",\"semver\":{\"vulnerable\":[\"\\u003c2.5.3\"]},\"severity\":\"high\",\"title\":\"Arbitrary Code Execution\",\"type\":\"vuln\",\"uniqueSeveritiesList\":[\"high\"],\"url\":\"https://snyk.io/vuln/npm:ejs:20161128\",\"version\":\"0.8.8\"},\"projects\":[{\"id\":\"projectid\",\"name\":\"username/reponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"someotheruser/someotherreponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"folder1/package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"projectname\",\"packageManager\":\"npm\",\"source\":\"cli\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"}]}"
+ },
+ "host": {
+ "name": "docker-fleet-agent"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "snyk": {
+ "projects": [
+ {
+ "id": "projectid",
+ "name": "username/reponame",
+ "packageManager": "npm",
+ "source": "github",
+ "targetFile": "package.json",
+ "url": "https://snyk.io/org/orgname/project/projectid"
+ },
+ {
+ "id": "projectid",
+ "name": "someotheruser/someotherreponame",
+ "packageManager": "npm",
+ "source": "github",
+ "targetFile": "folder1/package.json",
+ "url": "https://snyk.io/org/orgname/project/projectid"
+ },
+ {
+ "id": "projectid",
+ "name": "projectname",
+ "packageManager": "npm",
+ "source": "cli",
+ "targetFile": "package.json",
+ "url": "https://snyk.io/org/orgname/project/projectid"
+ }
+ ],
+ "related": {
+ "projects": [
+ "username/reponame",
+ "someotheruser/someotherreponame",
+ "projectname"
+ ]
+ },
+ "vulnerabilities": {
+ "credit": [
+ "Snyk Security Research Team"
+ ],
+ "cvss3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "disclosure_time": "2016-11-27T22:00:00.000Z",
+ "exploit_maturity": "no-known-exploit",
+ "id": "npm:ejs:20161128",
+ "identifiers": {
+ "alternative": [
+ "SNYK-JS-EJS-10218"
+ ],
+ "cwe": [
+ "CWE-94"
+ ]
+ },
+ "introduced_date": "2020-04-07",
+ "is_fixed": false,
+ "is_ignored": false,
+ "is_patchable": false,
+ "is_patched": false,
+ "is_pinnable": false,
+ "is_upgradable": false,
+ "language": "js",
+ "package": "ejs",
+ "package_manager": "npm",
+ "patches": [
+ {
+ "id": "patch:npm:ejs:20161128:0",
+ "modificationTime": "2019-12-03T11:40:45.851976Z",
+ "urls": [
+ "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch"
+ ],
+ "version": "\u003c2.5.3 \u003e=2.2.4"
+ }
+ ],
+ "priority_score": 4.05,
+ "publication_time": "2016-11-28T18:44:12.000Z",
+ "reachability": "No Info",
+ "semver": {
+ "vulnerable": [
+ "\u003c2.5.3"
+ ]
+ },
+ "title": "Arbitrary Code Execution",
+ "type": "vuln",
+ "unique_severities_list": [
+ "high"
+ ],
+ "version": "0.8.8"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "snyk-vulnerabilities"
+ ],
+ "vulnerability": {
+ "category": "Github",
+ "classification": "CVSS",
+ "enumeration": "CVE",
+ "reference": "https://snyk.io/vuln/npm:ejs:20161128",
+ "scanner": {
+ "vendor": "Snyk"
+ },
+ "score": {
+ "base": 8.1,
+ "version": "3.0"
+ },
+ "severity": "high"
+ }
+}
\ No newline at end of file
diff --git a/packages/snyk/1.2.1/docs/README.md b/packages/snyk/1.2.1/docs/README.md
new file mode 100755
index 0000000000..93fc4dd869
--- /dev/null
+++ b/packages/snyk/1.2.1/docs/README.md
@@ -0,0 +1,346 @@
+# Snyk Integration
+
+This integration is for ingesting data from the [Snyk](https://snyk.io/) API.
+
+- `vulnerabilities`: Collects all found vulnerabilities for the related organizations and projects
+- `audit`: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.
+
+To configure access to the Snyk Audit Log API you will have to generate an API access token as described in the [Snyk Documentation](https://snyk.docs.apiary.io/#introduction/authorization)
+
+
+## Audit
+
+An example event for `audit` looks as following:
+
+```json
+{
+ "@timestamp": "2020-11-11T21:00:00.000Z",
+ "agent": {
+ "ephemeral_id": "d625d71f-f6c0-4b21-a59c-8e6c6ca1cfa1",
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "data_stream": {
+ "dataset": "snyk.audit",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "action": "org.user.invite",
+ "agent_id_status": "verified",
+ "created": "2022-01-02T10:21:09.808Z",
+ "dataset": "snyk.audit",
+ "ingested": "2022-01-02T10:21:10Z",
+ "original": "{\"content\":{\"email\":\"someone@snyk.io\",\"isAdmin\":false},\"created\":\"2020-11-11T21:00:00.000Z\",\"event\":\"org.user.invite\",\"groupId\":\"groupid123test-543123-54312sadf-123ad\",\"orgId\":\"orgid123test-5643asd234-asdfasdf\",\"projectId\":null,\"userId\":\"userid123test-234sdfa2-423sdfa-2134\"}"
+ },
+ "host": {
+ "name": "docker-fleet-agent"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "snyk": {
+ "audit": {
+ "content": {
+ "email": "someone@snyk.io",
+ "isAdmin": false
+ },
+ "org_id": "orgid123test-5643asd234-asdfasdf"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "snyk-audit"
+ ],
+ "user": {
+ "group": {
+ "id": "groupid123test-543123-54312sadf-123ad"
+ },
+ "id": "userid123test-234sdfa2-423sdfa-2134"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| snyk.audit.content | Overview of the content that was changed, both old and new values. | flattened |
+| snyk.audit.org_id | ID of the related Organization related to the event. | keyword |
+| snyk.audit.project_id | ID of the project related to the event. | keyword |
+| snyk.projects | Array with all related projects objects. | flattened |
+| snyk.related.projects | Array of all the related project ID's. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+
+
+## Vulnerabilities
+
+An example event for `vulnerabilities` looks as following:
+
+```json
+{
+ "@timestamp": "2022-01-02T10:21:46.407Z",
+ "agent": {
+ "ephemeral_id": "b6ade099-0307-4079-b700-1b29dfb838ff",
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.0.0-beta1"
+ },
+ "data_stream": {
+ "dataset": "snyk.vulnerabilities",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+ "snapshot": false,
+ "version": "8.0.0-beta1"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-01-02T10:21:46.407Z",
+ "dataset": "snyk.vulnerabilities",
+ "ingested": "2022-01-02T10:21:47Z",
+ "original": "{\"introducedDate\":\"2020-04-07\",\"isFixed\":false,\"issue\":{\"CVSSv3\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"credit\":[\"Snyk Security Research Team\"],\"cvssScore\":\"8.1\",\"disclosureTime\":\"2016-11-27T22:00:00.000Z\",\"exploitMaturity\":\"no-known-exploit\",\"id\":\"npm:ejs:20161128\",\"identifiers\":{\"ALTERNATIVE\":[\"SNYK-JS-EJS-10218\"],\"CVE\":[],\"CWE\":[\"CWE-94\"]},\"isIgnored\":false,\"isPatchable\":false,\"isPatched\":false,\"isPinnable\":false,\"isUpgradable\":false,\"jiraIssueUrl\":null,\"language\":\"js\",\"originalSeverity\":null,\"package\":\"ejs\",\"packageManager\":\"npm\",\"patches\":[{\"comments\":[],\"id\":\"patch:npm:ejs:20161128:0\",\"modificationTime\":\"2019-12-03T11:40:45.851976Z\",\"urls\":[\"https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch\"],\"version\":\"\\u003c2.5.3 \\u003e=2.2.4\"}],\"priorityScore\":4.05,\"publicationTime\":\"2016-11-28T18:44:12.000Z\",\"reachability\":\"No Info\",\"semver\":{\"vulnerable\":[\"\\u003c2.5.3\"]},\"severity\":\"high\",\"title\":\"Arbitrary Code Execution\",\"type\":\"vuln\",\"uniqueSeveritiesList\":[\"high\"],\"url\":\"https://snyk.io/vuln/npm:ejs:20161128\",\"version\":\"0.8.8\"},\"projects\":[{\"id\":\"projectid\",\"name\":\"username/reponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"someotheruser/someotherreponame\",\"packageManager\":\"npm\",\"source\":\"github\",\"targetFile\":\"folder1/package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"},{\"id\":\"projectid\",\"name\":\"projectname\",\"packageManager\":\"npm\",\"source\":\"cli\",\"targetFile\":\"package.json\",\"url\":\"https://snyk.io/org/orgname/project/projectid\"}]}"
+ },
+ "host": {
+ "name": "docker-fleet-agent"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "snyk": {
+ "projects": [
+ {
+ "id": "projectid",
+ "name": "username/reponame",
+ "packageManager": "npm",
+ "source": "github",
+ "targetFile": "package.json",
+ "url": "https://snyk.io/org/orgname/project/projectid"
+ },
+ {
+ "id": "projectid",
+ "name": "someotheruser/someotherreponame",
+ "packageManager": "npm",
+ "source": "github",
+ "targetFile": "folder1/package.json",
+ "url": "https://snyk.io/org/orgname/project/projectid"
+ },
+ {
+ "id": "projectid",
+ "name": "projectname",
+ "packageManager": "npm",
+ "source": "cli",
+ "targetFile": "package.json",
+ "url": "https://snyk.io/org/orgname/project/projectid"
+ }
+ ],
+ "related": {
+ "projects": [
+ "username/reponame",
+ "someotheruser/someotherreponame",
+ "projectname"
+ ]
+ },
+ "vulnerabilities": {
+ "credit": [
+ "Snyk Security Research Team"
+ ],
+ "cvss3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+ "disclosure_time": "2016-11-27T22:00:00.000Z",
+ "exploit_maturity": "no-known-exploit",
+ "id": "npm:ejs:20161128",
+ "identifiers": {
+ "alternative": [
+ "SNYK-JS-EJS-10218"
+ ],
+ "cwe": [
+ "CWE-94"
+ ]
+ },
+ "introduced_date": "2020-04-07",
+ "is_fixed": false,
+ "is_ignored": false,
+ "is_patchable": false,
+ "is_patched": false,
+ "is_pinnable": false,
+ "is_upgradable": false,
+ "language": "js",
+ "package": "ejs",
+ "package_manager": "npm",
+ "patches": [
+ {
+ "id": "patch:npm:ejs:20161128:0",
+ "modificationTime": "2019-12-03T11:40:45.851976Z",
+ "urls": [
+ "https://snyk-patches.s3.amazonaws.com/npm/ejs/20161128/ejs_20161128_0_0_3d447c5a335844b25faec04b1132dbc721f9c8f6.patch"
+ ],
+ "version": "\u003c2.5.3 \u003e=2.2.4"
+ }
+ ],
+ "priority_score": 4.05,
+ "publication_time": "2016-11-28T18:44:12.000Z",
+ "reachability": "No Info",
+ "semver": {
+ "vulnerable": [
+ "\u003c2.5.3"
+ ]
+ },
+ "title": "Arbitrary Code Execution",
+ "type": "vuln",
+ "unique_severities_list": [
+ "high"
+ ],
+ "version": "0.8.8"
+ }
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "snyk-vulnerabilities"
+ ],
+ "vulnerability": {
+ "category": "Github",
+ "classification": "CVSS",
+ "enumeration": "CVE",
+ "reference": "https://snyk.io/vuln/npm:ejs:20161128",
+ "scanner": {
+ "vendor": "Snyk"
+ },
+ "score": {
+ "base": 8.1,
+ "version": "3.0"
+ },
+ "severity": "high"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset name. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Path to the log file. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| snyk.projects | Array with all related projects objects. | flattened |
+| snyk.related.projects | Array of all the related project ID's. | keyword |
+| snyk.vulnerabilities.credit | Reference to the person that original found the vulnerability. | keyword |
+| snyk.vulnerabilities.cvss3 | CSSv3 scores. | keyword |
+| snyk.vulnerabilities.disclosure_time | The time this vulnerability was originally disclosed to the package maintainers. | date |
+| snyk.vulnerabilities.exploit_maturity | The Snyk exploit maturity level. | keyword |
+| snyk.vulnerabilities.id | The vulnerability reference ID. | keyword |
+| snyk.vulnerabilities.identifiers.alternative | Additional vulnerability identifiers. | keyword |
+| snyk.vulnerabilities.identifiers.cwe | CWE vulnerability identifiers. | keyword |
+| snyk.vulnerabilities.introduced_date | The date the vulnerability was initially found. | date |
+| snyk.vulnerabilities.is_fixed | If the related vulnerability has been resolved. | boolean |
+| snyk.vulnerabilities.is_ignored | If the vulnerability report has been ignored. | boolean |
+| snyk.vulnerabilities.is_patchable | If vulnerability is fixable by using a Snyk supplied patch. | boolean |
+| snyk.vulnerabilities.is_patched | If the vulnerability has been patched. | boolean |
+| snyk.vulnerabilities.is_pinnable | If the vulnerability is fixable by pinning a transitive dependency. | boolean |
+| snyk.vulnerabilities.is_upgradable | If the vulnerability fixable by upgrading a dependency. | boolean |
+| snyk.vulnerabilities.jira_issue_url | Link to the related Jira issue. | keyword |
+| snyk.vulnerabilities.language | The package's programming language. | keyword |
+| snyk.vulnerabilities.original_severity | The original severity of the vulnerability. | long |
+| snyk.vulnerabilities.package | The package identifier according to its package manager. | keyword |
+| snyk.vulnerabilities.package_manager | The package manager. | keyword |
+| snyk.vulnerabilities.patches | Patches required to resolve the issue created by Snyk. | flattened |
+| snyk.vulnerabilities.priority_score | The CVS priority score. | long |
+| snyk.vulnerabilities.publication_time | The vulnerability publication time. | date |
+| snyk.vulnerabilities.reachability | If the vulnerable function from the library is used in the code scanned. Can either be No Info, Potentially reachable and Reachable. | keyword |
+| snyk.vulnerabilities.semver | One or more semver ranges this issue is applicable to. The format varies according to package manager. | flattened |
+| snyk.vulnerabilities.title | The issue title. | keyword |
+| snyk.vulnerabilities.type | The issue type. Can be either "license" or "vulnerability". | keyword |
+| snyk.vulnerabilities.unique_severities_list | A list of related unique severities. | keyword |
+| snyk.vulnerabilities.version | The package version this issue is applicable to. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| user.group.id | Unique identifier for the group on the system/platform. | keyword |
+| user.id | Unique identifier of the user. | keyword |
+| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword |
+| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword |
+| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword |
+| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+
+
diff --git a/packages/snyk/1.2.1/img/snyk-logo.svg b/packages/snyk/1.2.1/img/snyk-logo.svg
new file mode 100755
index 0000000000..039ceba032
--- /dev/null
+++ b/packages/snyk/1.2.1/img/snyk-logo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/packages/snyk/1.2.1/manifest.yml b/packages/snyk/1.2.1/manifest.yml
new file mode 100755
index 0000000000..a1eeaea079
--- /dev/null
+++ b/packages/snyk/1.2.1/manifest.yml
@@ -0,0 +1,62 @@
+format_version: 1.0.0
+name: snyk
+title: "Snyk"
+version: 1.2.1
+license: basic
+description: "Collect logs from Snyk API with Elastic Agent."
+type: integration
+categories:
+ - security
+release: ga
+conditions:
+ kibana.version: "^7.16.0 || ^8.0.0"
+icons:
+ - src: /img/snyk-logo.svg
+ title: Snyk logo
+ size: 382x625
+ type: image/svg+xml
+policy_templates:
+ - name: snyk
+ title: Snyk Events
+ description: Collect data from Snyk API
+ inputs:
+ - type: httpjson
+ title: Collect data from Snyk API
+ description: Collect Audit and Vulnerabilty data from the Snyk API
+ vars:
+ - name: url
+ type: text
+ title: Base URL of Snyk API Server
+ multi: false
+ show_user: false
+ required: true
+ default: https://snyk.io/api/v1
+ description: The base URL as found [here](https://snyk.docs.apiary.io/#introduction/api-url). No trailing /.
+ - name: api_token
+ type: password
+ title: Snyk API Token
+ multi: false
+ show_user: true
+ required: true
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ multi: false
+ required: false
+ show_user: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ description: URL to proxy connections in the form of http[s]://:@:
+ multi: false
+ required: false
+ show_user: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/tenable_sc/1.2.2/changelog.yml b/packages/tenable_sc/1.2.2/changelog.yml
new file mode 100755
index 0000000000..615927b767
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/changelog.yml
@@ -0,0 +1,41 @@
+# newer versions go on top
+- version: "1.2.2"
+ changes:
+ - description: Update readme - added links to tenable documentation and made the English clearer.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3165
+- version: "1.2.1"
+ changes:
+ - description: Add mapping for `event.created`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3568
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 8.2
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2781
+- version: "1.1.1"
+ changes:
+ - description: Add documentation for multi-fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2916
+- version: "1.1.0"
+ changes:
+ - description: Add custom User-Agent. Added configurable response size. Added filter in vulnerability dashboard to filter hostname and vulnerability cve id. Added unique identifier to asset.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2718
+- version: 1.0.0
+ changes:
+ - description: Promote to GA.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2565
+- version: "0.2.0"
+ changes:
+ - description: Update to ECS 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2444
+- version: "0.1.0"
+ changes:
+ - description: initial release
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2188
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/1.2.2/data_stream/asset/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..71a78287ab
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,83 @@
+config_version: 2
+interval: {{interval}}
+request.method: POST
+request.url: {{url}}/rest/analysis
+request.timeout: 60s
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.transforms:
+ - delete:
+ target: header.User-Agent
+ - set:
+ # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
+ # NOTE: The "Build" version must be kept in sync with this package's version.
+ target: header.User-Agent
+ value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]'
+ - set:
+ target: body.query.tool
+ value: 'sumip'
+ - append:
+ target: body.query.filters
+ value: |-
+ {
+ "filterName":"lastSeen",
+ "operator":"=",
+ "value": "[[.cursor.last_event_ts]]-[[(now).Unix]]"
+ }
+ default: |-
+ {
+ "filterName":"lastSeen",
+ "operator":"=",
+ "value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]"
+ }
+ value_type: json
+ - set:
+ target: body.query.type
+ value: 'vuln'
+ - set:
+ target: body.sourceType
+ value: 'cumulative'
+ - set:
+ target: body.startOffset
+ value: 0
+ - set:
+ target: body.endOffset
+ value: {{batch_size}}
+ - set:
+ target: body.type
+ value: 'vuln'
+ - set:
+ target: header.x-apikey
+ value: 'accesskey={{access_key}}; secretkey={{secret_key}}'
+response.split:
+ target: body.response.results
+response.pagination:
+ - set:
+ target: body.startOffset
+ value: '[[toInt .last_response.body.response.endOffset]]'
+ fail_on_template_error: true
+ - set:
+ target: body.endOffset
+ value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]'
+ fail_on_template_error: true
+cursor:
+ last_event_ts:
+ value: '[[if (ge (toInt .last_response.body.response.endOffset) (toInt .last_response.body.response.totalRecords))]][[toInt .last_response.body.timestamp]][[end]]'
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/1.2.2/data_stream/asset/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..f328870884
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,245 @@
+---
+description: Pipeline for Tenable.sc asset logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.timestamp
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: event.type
+ value: info
+ - set:
+ field: event.kind
+ value: state
+ - set:
+ field: event.category
+ value: host
+ - append:
+ field: related.ip
+ value: "{{{json.ip}}}"
+ if: ctx?.json?.ip != null
+ - append:
+ field: host.ip
+ value: "{{{json.ip}}}"
+ if: ctx?.json?.ip != null
+ - script:
+ if: ctx.json.uniqueness != ""
+ lang: painless
+ source: >-
+ def keys = ctx.json.uniqueness.toString().splitOnToken(",");
+ ctx.tenable_sc = new HashMap();
+ ctx.tenable_sc.asset = new HashMap();
+ String uniqueKey = "";
+ if (keys.length > 0) {
+ for (int i = 0; i < keys.length; i++) {
+ if(keys[i] == "repositoryID") {
+ uniqueKey = uniqueKey + ctx.json.repository.id + (i == keys.length - 1 ? "" : "_");
+ } else {
+ uniqueKey = uniqueKey + ctx.json[keys[i]] + (i == keys.length - 1 ? "" : "_");
+ }
+ }
+ }
+ ctx.tenable_sc.asset.custom_hash = uniqueKey;
+ - fingerprint:
+ fields:
+ - tenable_sc.asset.custom_hash
+ target_field: tenable_sc.asset.custom_hash
+ method: SHA-256
+ ignore_missing: true
+ - rename:
+ field: json.ip
+ target_field: tenable_sc.asset.ip
+ ignore_missing: true
+ - rename:
+ field: json.uuid
+ target_field: tenable_sc.asset.uuid
+ ignore_missing: true
+ - convert:
+ field: json.score
+ target_field: tenable_sc.asset.score
+ type: long
+ ignore_failure: true
+ - convert:
+ field: json.total
+ target_field: tenable_sc.asset.total
+ type: long
+ ignore_failure: true
+ - convert:
+ field: json.severityInfo
+ target_field: tenable_sc.asset.severity.info
+ type: long
+ ignore_failure: true
+ - convert:
+ field: json.severityLow
+ target_field: tenable_sc.asset.severity.low
+ type: long
+ ignore_failure: true
+ - convert:
+ field: json.severityMedium
+ target_field: tenable_sc.asset.severity.medium
+ type: long
+ ignore_failure: true
+ - convert:
+ field: json.severityHigh
+ target_field: tenable_sc.asset.severity.high
+ type: long
+ ignore_failure: true
+ - convert:
+ field: json.severityCritical
+ target_field: tenable_sc.asset.severity.critical
+ type: long
+ ignore_failure: true
+ - gsub:
+ field: json.macAddress
+ pattern: '[-:.]'
+ replacement: '-'
+ ignore_missing: true
+ - uppercase:
+ field: json.macAddress
+ ignore_missing: true
+ - append:
+ if: ctx?.json?.macAddress != null
+ field: host.mac
+ value: '{{{json.macAddress}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.macAddress
+ target_field: tenable_sc.asset.mac
+ - rename:
+ field: json.policyName
+ target_field: tenable_sc.asset.policy.name
+ ignore_missing: true
+ - rename:
+ field: json.pluginSet
+ target_field: tenable_sc.asset.plugin_set
+ ignore_missing: true
+ - set:
+ field: tenable_sc.asset.netbios.name
+ copy_from: json.netbiosName
+ ignore_failure: true
+ - set:
+ field: host.hostname
+ copy_from: json.dnsName
+ ignore_failure: true
+ - set:
+ field: tenable_sc.asset.dns.name
+ copy_from: json.dnsName
+ ignore_failure: true
+ - script:
+ lang: painless
+ source: |
+ def domain = "";
+ def nameArray = ctx.json.dnsName.toString().splitOnToken(".");
+ if (nameArray?.length > 0) {
+ for (int i = 1; i < nameArray.length; i++) {
+ domain += nameArray[i] + (i < nameArray.length - 1 ? "." : "");
+ }
+ ctx.host.name = nameArray[0];
+ ctx.host.domain = domain;
+ }
+ - append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{host.name}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{json.netbiosName}}}"
+ allow_duplicates: false
+ - rename:
+ field: json.osCPE
+ target_field: tenable_sc.asset.os_cpe
+ ignore_missing: true
+ - rename:
+ field: json.biosGUID
+ target_field: tenable_sc.asset.bios.guid
+ ignore_missing: true
+ - rename:
+ field: json.tpmID
+ target_field: tenable_sc.asset.tpm.id
+ ignore_missing: true
+ - rename:
+ field: json.mcafeeGUID
+ target_field: tenable_sc.asset.mcafee.guid
+ ignore_missing: true
+ - rename:
+ field: json.lastAuthRun
+ target_field: tenable_sc.asset.last_auth_run
+ ignore_missing: true
+ - rename:
+ field: json.lastUnauthRun
+ target_field: tenable_sc.asset.last_unauth_run
+ ignore_missing: true
+ - rename:
+ field: json.hostUniqueness
+ target_field: tenable_sc.asset.host_uniqueness
+ ignore_missing: true
+ - rename:
+ field: json.uniqueness
+ target_field: tenable_sc.asset.uniqueness
+ ignore_missing: true
+ - rename:
+ field: json.repository.id
+ target_field: tenable_sc.asset.repository.id
+ ignore_missing: true
+ - rename:
+ field: json.repository.name
+ target_field: tenable_sc.asset.repository.name
+ ignore_missing: true
+ - rename:
+ field: json.repository.description
+ target_field: tenable_sc.asset.repository.description
+ ignore_missing: true
+ - rename:
+ field: json.repository.sciID
+ target_field: tenable_sc.asset.repository.sci.id
+ ignore_missing: true
+ - rename:
+ field: json.repository.dataFormat
+ target_field: tenable_sc.asset.repository.data_format
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - remove:
+ field: json
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/fields/agent.yml b/packages/tenable_sc/1.2.2/data_stream/asset/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/fields/base-fields.yml b/packages/tenable_sc/1.2.2/data_stream/asset/fields/base-fields.yml
new file mode 100755
index 0000000000..bba8124ebf
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: tenable_sc
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: tenable_sc.asset
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/fields/ecs.yml b/packages/tenable_sc/1.2.2/data_stream/asset/fields/ecs.yml
new file mode 100755
index 0000000000..f2863bfb59
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/fields/ecs.yml
@@ -0,0 +1,39 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/fields/fields.yml b/packages/tenable_sc/1.2.2/data_stream/asset/fields/fields.yml
new file mode 100755
index 0000000000..312ae532c8
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/fields/fields.yml
@@ -0,0 +1,121 @@
+- name: tenable_sc.asset
+ type: group
+ fields:
+ - name: bios.guid
+ type: keyword
+ description: |
+ GUID of bios
+ - name: custom_hash
+ type: keyword
+ description: |
+ Hash representing the values of the field names mentioned in uniqueness field in order to uniquely identify an asset.
+ - name: dns.name
+ type: keyword
+ description: |
+ DNS name of the asset
+ - name: host_uniqueness
+ type: keyword
+ description: |
+ Host Uniqueness
+ - name: ip
+ type: keyword
+ description: |
+ The IPv4 address of the asset.
+ - name: last_auth_run
+ type: keyword
+ description: |
+ The timestamp of last auth run
+ - name: last_unauth_run
+ type: keyword
+ description: |
+ The timestamp of last unauth run
+ - name: mcafee.guid
+ type: keyword
+ description: |
+ GUID of McAfee.
+ - name: mac
+ type: keyword
+ description: |
+ The mac address of the asset
+ - name: netbios.name
+ type: keyword
+ description: |
+ Name of netbios of the asset
+ - name: os_cpe
+ type: keyword
+ description: |
+ OS CPE (Common Platform Enumeration is a standardized way to name software applications, operating systems, and hardware platforms)
+ - name: plugin_set
+ type: keyword
+ description: |
+ The plugin set the asset fall in.
+ - name: policy.name
+ type: keyword
+ description: |
+ The name of the policy that is assigned to the asset
+ - name: tpm.id
+ type: keyword
+ description: |
+ The ID of TPM.
+ - name: repository
+ type: group
+ fields:
+ - name: data_format
+ type: keyword
+ description: |
+ Data format.
+ - name: description
+ type: keyword
+ description: |
+ Description of repository.
+ - name: id
+ type: keyword
+ description: |
+ ID of repository the asset belongs to.
+ - name: name
+ type: keyword
+ description: |
+ Name of repository the asset belongs to.
+ - name: sci.id
+ type: keyword
+ description: |
+ Sci ID.
+ - name: score
+ type: long
+ description: |
+ The score of the asset
+ - name: severity
+ type: group
+ fields:
+ - name: info
+ type: long
+ description: |
+ The info score of the asset
+ - name: low
+ type: long
+ description: |
+ The low score of the asset
+ - name: medium
+ type: long
+ description: |
+ The medium score of the asset
+ - name: high
+ type: long
+ description: |
+ The high score of the asset
+ - name: critical
+ type: long
+ description: |
+ The critical score of the asset
+ - name: total
+ type: long
+ description: |
+ The total score for the asset
+ - name: uniqueness
+ type: keyword
+ description: |
+ Uniqueness
+ - name: uuid
+ type: keyword
+ description: |
+ The uuid of the asset.
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/manifest.yml b/packages/tenable_sc/1.2.2/data_stream/asset/manifest.yml
new file mode 100755
index 0000000000..e271e7936f
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/manifest.yml
@@ -0,0 +1,34 @@
+title: Tenable.sc asset logs
+type: logs
+streams:
+ - input: httpjson
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - tenable_sc-asset
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: Tenable.sc asset logs
+ description: Collect Tenable.sc asset logs
diff --git a/packages/tenable_sc/1.2.2/data_stream/asset/sample_event.json b/packages/tenable_sc/1.2.2/data_stream/asset/sample_event.json
new file mode 100755
index 0000000000..1b12f787ed
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/asset/sample_event.json
@@ -0,0 +1,103 @@
+{
+ "@timestamp": "2022-02-14T16:30:33.654Z",
+ "agent": {
+ "ephemeral_id": "2bf50bac-f76f-4c1a-b758-e2f62bffd73d",
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "data_stream": {
+ "dataset": "tenable_sc.asset",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "snapshot": true,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "host",
+ "created": "2022-02-14T16:30:33.654Z",
+ "dataset": "tenable_sc.asset",
+ "ingested": "2022-02-14T16:30:37Z",
+ "kind": "state",
+ "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}",
+ "type": "info"
+ },
+ "host": {
+ "domain": "example",
+ "hostname": "rnkmigauv2l8zeyf.example",
+ "ip": [
+ "0.0.228.153"
+ ],
+ "mac": [
+ "00-00-00-47-05-0D"
+ ],
+ "name": "rnkmigauv2l8zeyf"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "rnkmigauv2l8zeyf.example",
+ "rnkmigauv2l8zeyf",
+ "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
+ ],
+ "ip": [
+ "0.0.228.153"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "tenable_sc-asset"
+ ],
+ "tenable_sc": {
+ "asset": {
+ "bios": {
+ "guid": "9e8c4d43-982b-4405-a76c-d56c1d6cf117"
+ },
+ "custom_hash": "ilZiksv+pbvyBkKXgFRLGuMuUovfGI0pjIX5yLMp+I8=",
+ "dns": {
+ "name": "rnkmigauv2l8zeyf.example"
+ },
+ "host_uniqueness": "repositoryID,ip,dnsName",
+ "ip": "0.0.228.153",
+ "mac": "00-00-00-47-05-0D",
+ "netbios": {
+ "name": "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
+ },
+ "os_cpe": "cpe:/o:microsoft:windows_10:::x64-home",
+ "plugin_set": "201901281542",
+ "policy": {
+ "name": "Basic Agent Scan"
+ },
+ "repository": {
+ "data_format": "IPv4",
+ "id": "2",
+ "name": "Staged-Large",
+ "sci": {
+ "id": "1"
+ }
+ },
+ "score": 307,
+ "severity": {
+ "critical": 6,
+ "high": 4,
+ "info": 131,
+ "low": 0,
+ "medium": 9
+ },
+ "total": 150,
+ "uniqueness": "repositoryID,ip,dnsName",
+ "uuid": "4add65d0-27fc-491c-91ba-3f498a61f49e"
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/1.2.2/data_stream/plugin/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..07de952af7
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,75 @@
+config_version: 2
+interval: {{interval}}
+request.method: GET
+request.url: {{url}}/rest/plugin
+request.timeout: 60s
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.transforms:
+ - delete:
+ target: header.User-Agent
+ - set:
+ # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
+ # NOTE: The "Build" version must be kept in sync with this package's version.
+ target: header.User-Agent
+ value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]'
+ - set:
+ target: url.params.fields
+ value: id,name,description,family,type,copyright,version,sourceFile,dependencies,requiredPorts,requiredUDPPorts,cpe,srcPort,dstPort,protocol,riskFactor,solution,seeAlso,synopsis,checkType,exploitEase,exploitAvailable,exploitFrameworks,cvssVector,cvssVectorBF,baseScore,temporalScore,cvssV3Vector,cvssV3VectorBF,cvssV3BaseScore,cvssV3TemporalScore,vprScore,vprContext,stigSeverity,pluginPubDate,pluginModDate,patchPubDate,patchModDate,vulnPubDate,modifiedTime,md5,xrefs
+ - set:
+ target: header.x-apikey
+ value: 'accesskey={{access_key}}; secretkey={{secret_key}}'
+ - set:
+ target: url.params.filterField
+ value: pluginModDate
+ - set:
+ target: url.params.value
+ value: '[[.cursor.last_event_ts]]'
+ default: '[[(now (parseDuration "-{{initial_interval}}")).Unix]]'
+ - set:
+ target: url.params.op
+ value: gt
+ - set:
+ target: url.params.sortField
+ value: modifiedTime
+ - set:
+ target: url.params.sortDirection
+ value: ASC
+ - set:
+ target: url.params.startOffset
+ value: 0
+ - set:
+ target: url.params.endOffset
+ value: {{batch_size}}
+response.pagination:
+ - set:
+ target: url.params.startOffset
+ value: '[[toInt (.last_response.url.params.Get "endOffset")]]'
+ fail_on_template_error: true
+ - set:
+ target: url.params.endOffset
+ value: '[[add (toInt (.last_response.url.params.Get "endOffset")) {{batch_size}}]]'
+ fail_on_template_error: true
+response.split:
+ target: body.response
+cursor:
+ last_event_ts:
+ value: '[[if (lt (len .last_response.body.response) {{batch_size}})]][[.last_event.pluginModDate]][[end]]'
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/1.2.2/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..4e6d4aa7d9
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,339 @@
+---
+description: Pipeline for Tenable.sc plugin logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - date:
+ field: json.modifiedTime
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - UNIX
+ - fingerprint:
+ fields:
+ - json.modifiedTime
+ - json.id
+ - json.name
+ - json.type
+ - json.description
+ - json.version
+ - json.sourceFile
+ - json.cpe
+ - json.dependencies
+ - json.riskFactor
+ - json.vprContext
+ - json.vprScore
+ - json.baseScore
+ - json.temporalScore
+ - json.cvssVector
+ - json.cvssV3Vector
+ - json.pluginModDate
+ - json.patchPubDate
+ - json.vulnPubDate
+ - json.family
+ target_field: _id
+ ignore_missing: true
+ - set:
+ field: event.type
+ value: info
+ - set:
+ field: event.kind
+ value: event
+ - rename:
+ field: json.id
+ target_field: tenable_sc.plugin.id
+ ignore_missing: true
+ - rename:
+ field: json.name
+ target_field: tenable_sc.plugin.name
+ ignore_missing: true
+ - rename:
+ field: json.description
+ target_field: tenable_sc.plugin.description
+ ignore_missing: true
+ - rename:
+ field: json.type
+ target_field: tenable_sc.plugin.type
+ ignore_missing: true
+ - rename:
+ field: json.copyright
+ target_field: tenable_sc.plugin.copyright
+ ignore_missing: true
+ - convert:
+ field: json.version
+ target_field: tenable_sc.plugin.version
+ type: double
+ ignore_failure: true
+ - rename:
+ field: json.sourceFile
+ target_field: tenable_sc.plugin.source_file
+ ignore_missing: true
+ - split:
+ field: json.dependencies
+ target_field: tenable_sc.plugin.dependencies
+ separator: ","
+ ignore_missing: true
+ - rename:
+ field: json.requiredPorts
+ target_field: tenable_sc.plugin.required_ports
+ ignore_missing: true
+ - rename:
+ field: json.requiredUDPPorts
+ target_field: tenable_sc.plugin.required_udp_ports
+ ignore_missing: true
+ - split:
+ field: json.cpe
+ target_field: tenable_sc.plugin.cpe
+ separator: '\n'
+ ignore_missing: true
+ - rename:
+ field: json.srcPort
+ target_field: tenable_sc.plugin.src_port
+ ignore_missing: true
+ - rename:
+ field: json.dstPort
+ target_field: tenable_sc.plugin.dst_port
+ ignore_missing: true
+ - rename:
+ field: json.protocol
+ target_field: tenable_sc.plugin.protocol
+ ignore_missing: true
+ - rename:
+ field: json.riskFactor
+ target_field: tenable_sc.plugin.risk_factor
+ ignore_missing: true
+ - rename:
+ field: json.solution
+ target_field: tenable_sc.plugin.solution
+ ignore_missing: true
+ - split:
+ field: json.seeAlso
+ target_field: tenable_sc.plugin.see_also
+ separator: '\n'
+ ignore_missing: true
+ - rename:
+ field: json.synopsis
+ target_field: tenable_sc.plugin.synopsis
+ ignore_missing: true
+ - rename:
+ field: json.checkType
+ target_field: tenable_sc.plugin.check_type
+ if: ctx?.json?.checkType != ''
+ - rename:
+ field: json.exploitEase
+ target_field: tenable_sc.plugin.exploit.ease
+ ignore_missing: true
+ - rename:
+ field: json.exploitAvailable
+ target_field: tenable_sc.plugin.exploit.is_available
+ ignore_missing: true
+ - rename:
+ field: json.exploitFrameworks
+ target_field: tenable_sc.plugin.exploit.frameworks
+ ignore_missing: true
+ - rename:
+ field: json.cvssVector
+ target_field: tenable_sc.plugin.cvss_vector
+ if: ctx?.json?.cvssVector != ''
+ - rename:
+ field: json.cvssVectorBF
+ target_field: tenable_sc.plugin.cvss_vector_bf
+ if: ctx?.json?.cvssVectorBF != '0'
+ - convert:
+ field: json.baseScore
+ target_field: tenable_sc.plugin.base_score
+ type: double
+ ignore_failure: true
+ - convert:
+ field: json.temporalScore
+ target_field: tenable_sc.plugin.temporal_score
+ type: double
+ ignore_failure: true
+ - rename:
+ field: json.cvssV3Vector
+ target_field: tenable_sc.plugin.cvssv3_vector
+ if: ctx?.json?.cvssV3Vector != ''
+ - rename:
+ field: json.cvssV3VectorBF
+ target_field: tenable_sc.plugin.cvssv3_vector_bf
+ if: ctx?.json?.cvssV3VectorBF != '0'
+ - convert:
+ field: json.cvssV3BaseScore
+ target_field: tenable_sc.plugin.cvssv3_base_score
+ type: double
+ ignore_failure: true
+ - convert:
+ field: json.cvssV3TemporalScore
+ target_field: tenable_sc.plugin.cvssv3_temporal_score
+ type: double
+ ignore_failure: true
+ - convert:
+ field: json.vprScore
+ target_field: tenable_sc.plugin.vpr.score
+ type: double
+ ignore_failure: true
+ - json:
+ field: json.vprContext
+ target_field: json.vprContext
+ ignore_failure: true
+ - script:
+ if: ctx?.json?.vprContext != null
+ lang: painless
+ source: >-
+ def parts = ctx.json.vprContext;
+ if (parts != null && parts.length > 0) {
+ Map map = new HashMap();
+ for (int i = 0; i < parts.length; i++) {
+ map.put(parts[i]["id"], parts[i]["value"])
+ }
+ ctx.tenable_sc.plugin.vpr.context = map;
+ ctx.tenable_sc.plugin.vpr.context._original = parts;
+ }
+ - rename:
+ field: json.stigSeverity
+ target_field: tenable_sc.plugin.stig_severity
+ ignore_missing: true
+ - set:
+ field: tenable_sc.plugin.is_plugin_published
+ value: false
+ if: ctx?.json?.pluginPubDate != null
+ - set:
+ field: tenable_sc.plugin.is_plugin_published
+ value: true
+ if: ctx?.json?.pluginPubDate != '-1'
+ - date:
+ field: json.pluginPubDate
+ target_field: tenable_sc.plugin.plugin_pub_date
+ if: ctx?.json?.pluginPubDate != '-1'
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.plugin.is_plugin_modified
+ value: false
+ if: ctx?.json?.pluginModDate != null
+ - set:
+ field: tenable_sc.plugin.is_plugin_modified
+ value: true
+ if: ctx?.json?.pluginModDate != '-1'
+ - date:
+ field: json.pluginModDate
+ target_field: tenable_sc.plugin.plugin_mod_date
+ if: ctx?.json?.pluginModDate != '-1'
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.plugin.is_patch_published
+ value: false
+ if: ctx?.json?.patchPubDate != null
+ - set:
+ field: tenable_sc.plugin.is_patch_published
+ value: true
+ if: ctx?.json?.patchPubDate != '-1'
+ - date:
+ field: json.patchPubDate
+ target_field: tenable_sc.plugin.patch_pub_date
+ if: ctx?.json?.patchPubDate != '-1'
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.plugin.is_patch_modified
+ value: false
+ if: ctx?.json?.patchModDate != null
+ - set:
+ field: tenable_sc.plugin.is_patch_modified
+ value: true
+ if: ctx?.json?.patchModDate != '-1'
+ - date:
+ field: json.patchModDate
+ target_field: tenable_sc.plugin.patch_mod_date
+ if: ctx?.json?.patchModDate != '-1'
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.plugin.is_vulnerability_published
+ value: false
+ if: ctx?.json?.vulnPubDate != null
+ - set:
+ field: tenable_sc.plugin.is_vulnerability_published
+ value: true
+ if: ctx?.json?.vulnPubDate != '-1'
+ - date:
+ field: json.vulnPubDate
+ target_field: tenable_sc.plugin.vuln_pub_date
+ if: ctx?.json?.vulnPubDate != '-1'
+ ignore_failure: true
+ formats:
+ - UNIX
+ - date:
+ field: json.modifiedTime
+ target_field: tenable_sc.plugin.modified_time
+ ignore_failure: true
+ formats:
+ - UNIX
+ - rename:
+ field: json.md5
+ target_field: tenable_sc.plugin.md5
+ ignore_missing: true
+ - split:
+ field: json.xrefs
+ target_field: tenable_sc.plugin.xrefs
+ separator: ", "
+ ignore_missing: true
+ - rename:
+ field: json.source
+ target_field: tenable_sc.plugin.source
+ ignore_missing: true
+ - rename:
+ field: json.family.id
+ target_field: tenable_sc.plugin.family.id
+ ignore_missing: true
+ - rename:
+ field: json.family.name
+ target_field: tenable_sc.plugin.family.name
+ ignore_missing: true
+ - rename:
+ field: json.family.type
+ target_field: tenable_sc.plugin.family.type
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - remove:
+ field: json
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/fields/agent.yml b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/fields/base-fields.yml b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/base-fields.yml
new file mode 100755
index 0000000000..e7eda88487
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: tenable_sc
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: tenable_sc.plugin
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/fields/ecs.yml b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/ecs.yml
new file mode 100755
index 0000000000..265be36459
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/ecs.yml
@@ -0,0 +1,27 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/fields/fields.yml b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/fields.yml
new file mode 100755
index 0000000000..59392d1e23
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/fields/fields.yml
@@ -0,0 +1,212 @@
+- name: tenable_sc.plugin
+ type: group
+ fields:
+ - name: base_score
+ type: double
+ description: |
+ The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
+ - name: check_type
+ type: keyword
+ description: |
+ The type of the compliance check that detected the vulnerability.
+ - name: copyright
+ type: keyword
+ description: |
+ The copyright information related to the plugin.
+ - name: cpe
+ type: keyword
+ description: |
+ A list of plugin target systems identified by Common Platform Enumeration (CPE).
+ - name: cvss_vector
+ type: keyword
+ description: |
+ The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation.
+ - name: cvss_vector_bf
+ type: keyword
+ description: |
+ N/A
+ - name: cvssv3_base_score
+ type: double
+ description: |
+ The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments).
+ - name: cvssv3_temporal_score
+ type: double
+ description: |
+ The CVSSv3 temporal metrics for the vulnerability.
+ - name: cvssv3_vector
+ type: keyword
+ description: |
+ The raw CVSSv3 metrics for the vulnerability. For more information, see CVSSv3 documentation.
+ - name: cvssv3_vector_bf
+ type: keyword
+ description: |
+ N/A
+ - name: dependencies
+ type: keyword
+ description: |
+ N/A
+ - name: description
+ type: keyword
+ description: |
+ The extended description of the plugin.
+ - name: dst_port
+ type: long
+ description: |
+ Destination port
+ - name: exploit
+ type: group
+ fields:
+ - name: is_available
+ type: boolean
+ description: |
+ Indicates whether a known public exploit exists for the vulnerability.
+ - name: ease
+ type: keyword
+ description: |
+ Description of how easy it is to exploit the vulnerability.
+ - name: frameworks
+ type: keyword
+ description: |
+ Frameworks used by the exploit
+ - name: family
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: |
+ The ID of the plugin family.
+ - name: name
+ type: keyword
+ description: |
+ The name of the plugin family.
+ - name: type
+ type: keyword
+ description: |
+ The type of the plugin family.
+ - name: id
+ type: keyword
+ description: |
+ The ID of the plugin.
+ - name: is_patch_modified
+ type: boolean
+ description: |
+ Flag for if patch is modified
+ - name: is_patch_published
+ type: boolean
+ description: |
+ Flag for if patch is published
+ - name: is_plugin_modified
+ type: boolean
+ description: |
+ Flag for if plugin is modified
+ - name: is_plugin_published
+ type: boolean
+ description: |
+ Flag for if plugin is published
+ - name: is_vulnerability_published
+ type: boolean
+ description: |
+ Flag for if vulnerability is published
+ - name: md5
+ type: keyword
+ description: |
+ N/A
+ - name: modified_time
+ type: date
+ description: |
+ Timestamp of last modification in plugin
+ - name: name
+ type: keyword
+ description: |
+ The name of the plugin.
+ - name: patch_mod_date
+ type: date
+ description: |
+ The date when the vendor modified the patch for the vulnerability.
+ - name: patch_pub_date
+ type: date
+ description: |
+ The date when the vendor published a patch for the vulnerability.
+ - name: plugin_mod_date
+ type: date
+ description: |
+ The date when Tenable last updated the plugin.
+ - name: plugin_pub_date
+ type: date
+ description: |
+ The date when Tenable originally published the plugin.
+ - name: protocol
+ type: keyword
+ description: |
+ Protocol used by the vulnerability
+ - name: required_ports
+ type: keyword
+ description: |
+ N/A
+ - name: required_udp_ports
+ type: keyword
+ description: |
+ N/A
+ - name: risk_factor
+ type: keyword
+ description: |
+ The risk factor associated with the plugin.
+ - name: see_also
+ type: keyword
+ description: |
+ Links to external websites that contain helpful information about the vulnerability.
+ - name: solution
+ type: keyword
+ description: |
+ Remediation information for the vulnerability.
+ - name: source
+ type: keyword
+ description: |
+ N/A
+ - name: source_file
+ type: keyword
+ description: |
+ N/A
+ - name: src_port
+ type: long
+ description: |
+ Source port.
+ - name: stig_severity
+ type: keyword
+ description: |
+ STIG severity code for the vulnarebility.
+ - name: synopsis
+ type: keyword
+ description: |
+ A brief summary of the vulnerability or vulnerabilities associated with the plugin.
+ - name: temporal_score
+ type: double
+ description: |
+ The raw CVSSv2 temporal metrics for the vulnerability.
+ - name: type
+ type: keyword
+ description: |
+ The type of the plugin.
+ - name: version
+ type: version
+ description: |
+ The version of the plugin.
+ - name: vpr
+ type: group
+ fields:
+ - name: context
+ type: flattened
+ description: |
+ The matrix of Vulnerability Priority Rating (VPR) for the vulnerability.
+ - name: score
+ type: double
+ description: |
+ The Vulnerability Priority Rating (VPR) score for the vulnerability.
+ - name: vuln_pub_date
+ type: date
+ description: |
+ Vulnarebility publish date.
+ - name: xrefs
+ type: keyword
+ description: |
+ References to third-party information about the vulnerability, exploit, or update associated with the plugin presented as an array of objects.
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/manifest.yml b/packages/tenable_sc/1.2.2/data_stream/plugin/manifest.yml
new file mode 100755
index 0000000000..e252f9303a
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/manifest.yml
@@ -0,0 +1,34 @@
+title: Tenable.sc plugin logs
+type: logs
+streams:
+ - input: httpjson
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - tenable_sc-plugin
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: Tenable.sc plugin logs
+ description: Collect Tenable.sc plugin logs
diff --git a/packages/tenable_sc/1.2.2/data_stream/plugin/sample_event.json b/packages/tenable_sc/1.2.2/data_stream/plugin/sample_event.json
new file mode 100755
index 0000000000..88c4340113
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/plugin/sample_event.json
@@ -0,0 +1,148 @@
+{
+ "@timestamp": "2021-09-27T01:33:53.000Z",
+ "agent": {
+ "ephemeral_id": "a8c9d489-b7e1-486f-b50e-7b2cba60651a",
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "data_stream": {
+ "dataset": "tenable_sc.plugin",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "snapshot": true,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-02-14T16:31:46.081Z",
+ "dataset": "tenable_sc.plugin",
+ "ingested": "2022-02-14T16:31:49Z",
+ "kind": "event",
+ "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}",
+ "type": "info"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "tenable_sc-plugin"
+ ],
+ "tenable_sc": {
+ "plugin": {
+ "base_score": 7.8,
+ "check_type": "remote",
+ "copyright": "This script is Copyright (C) 2003-2020 John Lampe",
+ "cvss_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C",
+ "cvss_vector_bf": "2164920932",
+ "dependencies": [
+ "find_service1.nasl",
+ "http_version.nasl",
+ "www_fingerprinting_hmap.nasl"
+ ],
+ "description": "Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\n\nIf this machine serves a business-critical function, there could be an impact to the business.",
+ "exploit": {
+ "ease": "No known exploits are available",
+ "is_available": "false"
+ },
+ "family": {
+ "id": "11",
+ "name": "Web Servers",
+ "type": "active"
+ },
+ "id": "10585",
+ "is_patch_modified": false,
+ "is_patch_published": false,
+ "is_plugin_modified": true,
+ "is_plugin_published": true,
+ "is_vulnerability_published": true,
+ "md5": "38b2147401eb5c3a15af52182682f345",
+ "modified_time": "2021-09-27T01:33:53.000Z",
+ "name": "Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS",
+ "plugin_mod_date": "2020-06-12T12:00:00.000Z",
+ "plugin_pub_date": "2003-07-22T12:00:00.000Z",
+ "risk_factor": "High",
+ "see_also": [
+ "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100"
+ ],
+ "solution": "Microsoft has released a set of patches for IIS 4.0 and 5.0.",
+ "source_file": "IIS_frontpage_DOS_2.nasl",
+ "synopsis": "The remote web server is vulnerable to a denial of service",
+ "temporal_score": 5.8,
+ "type": "active",
+ "version": 1.28,
+ "vpr": {
+ "context": {
+ "_original": [
+ {
+ "id": "age_of_vuln",
+ "name": "Vulnerability Age",
+ "type": "string",
+ "value": "730 days +"
+ },
+ {
+ "id": "cvssV3_impactScore",
+ "name": "CVSS v3 Impact Score",
+ "type": "number",
+ "value": 3.6
+ },
+ {
+ "id": "exploit_code_maturity",
+ "name": "Exploit Code Maturity",
+ "type": "string",
+ "value": "Unproven"
+ },
+ {
+ "id": "product_coverage",
+ "name": "Product Coverage",
+ "type": "string",
+ "value": "Low"
+ },
+ {
+ "id": "threat_intensity_last_28",
+ "name": "Threat Intensity",
+ "type": "string",
+ "value": "Very Low"
+ },
+ {
+ "id": "threat_recency",
+ "name": "Threat Recency",
+ "type": "string",
+ "value": "\u003e 365 days"
+ },
+ {
+ "id": "threat_sources_last_28",
+ "name": "Threat Sources",
+ "type": "string",
+ "value": "No recorded events"
+ }
+ ],
+ "age_of_vuln": "730 days +",
+ "cvssV3_impactScore": 3.6,
+ "exploit_code_maturity": "Unproven",
+ "product_coverage": "Low",
+ "threat_intensity_last_28": "Very Low",
+ "threat_recency": "\u003e 365 days",
+ "threat_sources_last_28": "No recorded events"
+ },
+ "score": 4.4
+ },
+ "vuln_pub_date": "2000-12-22T12:00:00.000Z",
+ "xrefs": [
+ "CVE:CVE-2001-0096",
+ "BID:2144",
+ "MSFT:MS00-100",
+ "MSKB:280322"
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/agent/stream/httpjson.yml.hbs b/packages/tenable_sc/1.2.2/data_stream/vulnerability/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..7379c15cd3
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,89 @@
+config_version: 2
+interval: {{interval}}
+request.method: POST
+request.url: {{url}}/rest/analysis
+request.timeout: 60s
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.transforms:
+ - delete:
+ target: header.User-Agent
+ - set:
+ # Follow Tenable's format: https://developer.tenable.com/docs/user-agent-header
+ # NOTE: The "Build" version must be kept in sync with this package's version.
+ target: header.User-Agent
+ value: '[[userAgent "Integration/1.0 (Elastic; Tenable.sc; Build/1.1.0)"]]'
+ - set:
+ target: body.query.tool
+ value: 'vulndetails'
+ - append:
+ target: body.query.filters
+ value: |-
+ {
+ "filterName":"lastSeen",
+ "operator":"=",
+ "value": "[[.cursor.last_event_ts]]-[[(now).Unix]]"
+ }
+ default: |-
+ {
+ "filterName":"lastSeen",
+ "operator":"=",
+ "value": "[[(now (parseDuration "-{{initial_interval}}")).Unix]]-[[(now).Unix]]"
+ }
+ value_type: json
+ - set:
+ target: body.query.type
+ value: 'vuln'
+ - set:
+ target: body.startOffset
+ value: 0
+ - set:
+ target: body.endOffset
+ value: {{batch_size}}
+ - set:
+ target: body.sourceType
+ value: 'cumulative'
+ - set:
+ target: body.sortField
+ value: 'lastSeen'
+ - set:
+ target: body.sort_direction
+ value: 'ASC'
+ - set:
+ target: body.type
+ value: 'vuln'
+ - set:
+ target: header.x-apikey
+ value: 'accesskey={{access_key}}; secretkey={{secret_key}}'
+response.split:
+ target: body.response.results
+response.pagination:
+ - set:
+ target: body.startOffset
+ value: '[[toInt .last_response.body.response.endOffset]]'
+ fail_on_template_error: true
+ - set:
+ target: body.endOffset
+ value: '[[add (toInt .last_response.body.response.endOffset) {{batch_size}}]]'
+ fail_on_template_error: true
+cursor:
+ last_event_ts:
+ value: '[[if (ge (toInt .last_response.body.response.endOffset) (toInt .last_response.body.response.totalRecords))]][[.last_event.lastSeen]][[end]]'
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/tenable_sc/1.2.2/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
new file mode 100755
index 0000000000..494f6ca83b
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,505 @@
+---
+description: Pipeline for Tenable.sc vulnerability logs
+processors:
+ - set:
+ field: ecs.version
+ value: '8.2.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+ ignore_failure: true
+ - fingerprint:
+ fields:
+ - json.lastSeen
+ - json.pluginID
+ - json.ip
+ - json.uuid
+ - json.firstSeen
+ - json.lastSeen
+ - json.exploitAvailable
+ - json.vulnPubDate
+ - json.patchPubDate
+ - json.pluginPubDate
+ - json.pluginModDate
+ - json.pluginText
+ - json.dnsName
+ - json.macAddress
+ - json.operatingSystem
+ - json.pluginInfo
+ target_field: _id
+ ignore_missing: true
+ - date:
+ field: json.lastSeen
+ target_field: "@timestamp"
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: event.category
+ value: threat
+ - set:
+ field: event.type
+ value: info
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: vulnerability.scanner.vendor
+ value: Tenable
+ - set:
+ field: vulnerability.score.version
+ value: '3.0'
+ if: ctx?.json?.cvssV3BaseScore != '' || ctx?.json?.cvssV3TemporalScore != ''
+ - split:
+ field: json.seeAlso
+ target_field: json.seeAlso
+ separator: '\n'
+ - script:
+ description: |
+ This script will add all the cve reference links as well as the reference links provided in the response vunlerability.reference field.
+ lang: painless
+ source: >-
+ Set referenceSet = new HashSet();
+ if (ctx.json.cve != '') {
+ def cveIDs = ctx.json.cve.toString().splitOnToken(",");
+ for (int i = 0; i < cveIDs.length; i++) {
+ referenceSet.add("https://cve.mitre.org/cgi-bin/cvename.cgi?name=" + cveIDs[i]);
+ }
+ }
+ def seeAlsoLinks = ctx.json.seeAlso;
+ if (seeAlsoLinks != null) {
+ for (int i = 0; i < seeAlsoLinks.length; i++) {
+ referenceSet.add(seeAlsoLinks[i]);
+ }
+ }
+ ctx.vulnerability.reference = new ArrayList(referenceSet);
+ - set:
+ field: vulnerability.enumeration
+ value: 'CVE'
+ if: ctx?.json?.cve != ''
+ - split:
+ field: json.cve
+ target_field: vulnerability.id
+ separator: ','
+ - set:
+ field: vulnerability.classification
+ value: 'CVSS'
+ if: ctx?.json?.cvssV3BaseScore != '' || ctx?.json?.cvssV3TemporalScore != ''
+ - convert:
+ field: json.cvssV3BaseScore
+ type: float
+ ignore_failure: true
+ - rename:
+ field: json.cvssV3BaseScore
+ target_field: vulnerability.score.base
+ ignore_missing: true
+ - convert:
+ field: json.cvssV3TemporalScore
+ type: float
+ ignore_failure: true
+ - rename:
+ field: json.cvssV3TemporalScore
+ target_field: vulnerability.score.temporal
+ ignore_missing: true
+ - rename:
+ field: json.description
+ target_field: vulnerability.description
+ ignore_missing: true
+ - rename:
+ field: json.severity.name
+ target_field: vulnerability.severity
+ ignore_missing: true
+ - rename:
+ field: json.severity.id
+ target_field: tenable_sc.vulnerability.severity.id
+ ignore_missing: true
+ - script:
+ if: ctx.json.uniqueness != ""
+ lang: painless
+ source: >-
+ def keys = ctx.json.uniqueness.toString().splitOnToken(",");
+ String uniqueKey = "";
+ if (keys.length > 0) {
+ for (int i = 0; i < keys.length; i++) {
+ if(keys[i] == "repositoryID") {
+ uniqueKey = uniqueKey + ctx.json.repository.id + (i == keys.length - 1 ? "" : "_");
+ } else {
+ uniqueKey = uniqueKey + ctx.json[keys[i]] + (i == keys.length - 1 ? "" : "_");
+ }
+ }
+ }
+ ctx.tenable_sc.vulnerability.id = uniqueKey;
+ - fingerprint:
+ fields:
+ - json.pluginID
+ - json.port
+ - json.protocol
+ - tenable_sc.vulnerability.id
+ target_field: tenable_sc.vulnerability.custom_hash
+ method: SHA-256
+ ignore_missing: true
+ - rename:
+ field: json.pluginID
+ target_field: tenable_sc.vulnerability.plugin.id
+ ignore_missing: true
+ - rename:
+ field: json.severity.description
+ target_field: tenable_sc.vulnerability.severity.description
+ ignore_missing: true
+ - set:
+ field: tenable_sc.vulnerability.has_been_mitigated
+ value: false
+ if: ctx?.json?.hasBeenMitigated == '0'
+ - set:
+ field: tenable_sc.vulnerability.has_been_mitigated
+ value: true
+ if: ctx?.json?.hasBeenMitigated == '1'
+ - rename:
+ field: json.acceptRisk
+ target_field: tenable_sc.vulnerability.accept_risk
+ ignore_missing: true
+ - rename:
+ field: json.recastRisk
+ target_field: tenable_sc.vulnerability.recast_risk
+ ignore_missing: true
+ - rename:
+ field: json.vprScore
+ target_field: tenable_sc.vulnerability.vpr.score
+ if: ctx?.json?.vprScore != ''
+ - convert:
+ field: tenable_sc.vulnerability.vpr.score
+ type: double
+ ignore_failure: true
+ - json:
+ field: json.vprContext
+ target_field: json.vprContext
+ ignore_failure: true
+ - script:
+ if: ctx?.json?.vprContext != null
+ lang: painless
+ source: >-
+ def parts = ctx.json.vprContext;
+ if (parts != null && parts.length > 0) {
+ Map map = new HashMap();
+ for (int i = 0; i < parts.length; i++) {
+ map.put(parts[i]["id"], parts[i]["value"])
+ }
+ ctx.tenable_sc.vulnerability.vpr.context = map;
+ ctx.tenable_sc.vulnerability.vpr.context._original = parts;
+ }
+ - append:
+ field: related.ip
+ value: '{{{json.ip}}}'
+ if: ctx?.json?.ip != null
+ - append:
+ field: host.ip
+ value: '{{{json.ip}}}'
+ if: ctx?.json?.ip != null
+ - rename:
+ field: json.ip
+ target_field: tenable_sc.vulnerability.ip
+ ignore_missing: true
+ - rename:
+ field: json.port
+ target_field: tenable_sc.vulnerability.port
+ ignore_missing: true
+ - rename:
+ field: json.protocol
+ target_field: tenable_sc.vulnerability.protocol
+ ignore_missing: true
+ - rename:
+ field: json.pluginName
+ target_field: tenable_sc.vulnerability.plugin.name
+ ignore_missing: true
+ - date:
+ field: json.firstSeen
+ target_field: tenable_sc.vulnerability.first_seen
+ ignore_failure: true
+ formats:
+ - UNIX
+ - date:
+ field: json.lastSeen
+ target_field: tenable_sc.vulnerability.last_seen
+ ignore_failure: true
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.vulnerability.exploit.is_available
+ value: true
+ if: ctx?.json?.exploitAvailable == 'Yes'
+ - set:
+ field: tenable_sc.vulnerability.exploit.is_available
+ value: false
+ if: ctx?.json?.exploitAvailable == 'No'
+ - rename:
+ field: json.exploitEase
+ target_field: tenable_sc.vulnerability.exploit.ease
+ ignore_missing: true
+ - rename:
+ field: json.exploitFrameworks
+ target_field: tenable_sc.vulnerability.exploit.frameworks
+ ignore_missing: true
+ - rename:
+ field: json.solution
+ target_field: tenable_sc.vulnerability.solution
+ ignore_missing: true
+ - rename:
+ field: json.synopsis
+ target_field: tenable_sc.vulnerability.synopsis
+ ignore_missing: true
+ - rename:
+ field: json.riskFactor
+ target_field: tenable_sc.vulnerability.risk_factor
+ ignore_missing: true
+ - rename:
+ field: json.stigSeverity
+ target_field: tenable_sc.vulnerability.stig_severity
+ ignore_missing: true
+ - rename:
+ field: json.baseScore
+ target_field: tenable_sc.vulnerability.base_score
+ ignore_missing: true
+ - rename:
+ field: json.temporalScore
+ target_field: tenable_sc.vulnerability.temporal_score
+ ignore_missing: true
+ - rename:
+ field: json.cvssVector
+ target_field: tenable_sc.vulnerability.cvss_vector
+ ignore_missing: true
+ - rename:
+ field: json.cvssV3Vector
+ target_field: tenable_sc.vulnerability.cvss_v3_vector
+ ignore_missing: true
+ - split:
+ field: json.cpe
+ target_field: tenable_sc.vulnerability.cpe
+ separator: ' '
+ ignore_missing: true
+ - set:
+ field: tenable_sc.vulnerability.is_vulnerability_published
+ value: false
+ if: ctx?.json?.vulnPubDate != null
+ - set:
+ field: tenable_sc.vulnerability.is_vulnerability_published
+ value: true
+ if: ctx?.json?.vulnPubDate != '-1'
+ - date:
+ field: json.vulnPubDate
+ target_field: tenable_sc.vulnerability.vuln_pub_date
+ ignore_failure: true
+ if: ctx?.json?.vulnPubDate != '-1'
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.vulnerability.patch.is_published
+ value: false
+ if: ctx?.json?.patchPubDate != null
+ - set:
+ field: tenable_sc.vulnerability.patch.is_published
+ value: true
+ if: ctx?.json?.patchPubDate != '-1'
+ - date:
+ field: json.patchPubDate
+ target_field: tenable_sc.vulnerability.patch.pub_date
+ ignore_failure: true
+ if: ctx?.json?.patchPubDate != '-1'
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.vulnerability.plugin.is_modified
+ value: false
+ if: ctx?.json?.pluginModDate != null
+ - set:
+ field: tenable_sc.vulnerability.plugin.is_modified
+ value: true
+ if: ctx?.json?.pluginModDate != '-1'
+ - date:
+ field: json.pluginModDate
+ target_field: tenable_sc.vulnerability.plugin.mod_date
+ ignore_failure: true
+ if: ctx?.json?.pluginModDate != '-1'
+ formats:
+ - UNIX
+ - set:
+ field: tenable_sc.vulnerability.plugin.is_published
+ value: false
+ if: ctx?.json?.pluginPubDate != null
+ - set:
+ field: tenable_sc.vulnerability.plugin.is_published
+ value: true
+ if: ctx?.json?.pluginPubDate != '-1'
+ - date:
+ field: json.pluginPubDate
+ target_field: tenable_sc.vulnerability.plugin.pub_date
+ ignore_failure: true
+ if: ctx?.json?.pluginPubDate != '-1'
+ formats:
+ - UNIX
+ - rename:
+ field: json.uuid
+ target_field: tenable_sc.vulnerability.uuid
+ ignore_missing: true
+ - rename:
+ field: json.checkType
+ target_field: tenable_sc.vulnerability.check_type
+ ignore_missing: true
+ - rename:
+ field: json.version
+ target_field: tenable_sc.vulnerability.version
+ ignore_missing: true
+ - rename:
+ field: json.bid
+ target_field: tenable_sc.vulnerability.bid
+ ignore_missing: true
+ - split:
+ field: json.xref
+ target_field: tenable_sc.vulnerability.xref
+ separator: ","
+ ignore_missing: true
+ - rename:
+ field: json.pluginText
+ target_field: tenable_sc.vulnerability.plugin.text
+ ignore_missing: true
+ - set:
+ field: host.hostname
+ copy_from: json.dnsName
+ ignore_failure: true
+ - set:
+ field: tenable_sc.vulnerability.dns.name
+ copy_from: json.dnsName
+ ignore_failure: true
+ - script:
+ lang: painless
+ source: |
+ def domain = "";
+ def nameArray = ctx?.json?.dnsName?.toString().splitOnToken(".");
+ if (nameArray?.length > 0) {
+ for (int i = 1; i < nameArray.length; i++) {
+ domain += nameArray[i] + (i < nameArray.length - 1 ? "." : "");
+ }
+ ctx.host.name = nameArray[0];
+ ctx.host.domain = domain;
+ }
+ - append:
+ field: related.hosts
+ value: "{{{host.hostname}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{host.name}}}"
+ allow_duplicates: false
+ - append:
+ field: related.hosts
+ value: "{{{json.netbiosName}}}"
+ allow_duplicates: false
+ - gsub:
+ field: json.macAddress
+ pattern: '[-:.]'
+ replacement: '-'
+ ignore_missing: true
+ - uppercase:
+ field: json.macAddress
+ ignore_missing: true
+ - append:
+ if: ctx?.json?.macAddress != null
+ field: host.mac
+ value: '{{{json.macAddress}}}'
+ allow_duplicates: false
+ - rename:
+ field: json.macAddress
+ target_field: tenable_sc.vulnerability.mac
+ ignore_missing: true
+ - rename:
+ field: json.netbiosName
+ target_field: tenable_sc.vulnerability.netbios.name
+ ignore_missing: true
+ - set:
+ field: host.os.full
+ copy_from: json.operatingSystem
+ ignore_failure: true
+ - rename:
+ field: json.operatingSystem
+ target_field: tenable_sc.vulnerability.operating_system
+ ignore_missing: true
+ - rename:
+ field: json.uniqueness
+ target_field: tenable_sc.vulnerability.uniqueness
+ ignore_missing: true
+ - rename:
+ field: json.hostUniqueness
+ target_field: tenable_sc.vulnerability.host_uniqueness
+ ignore_missing: true
+ - rename:
+ field: json.family.id
+ target_field: tenable_sc.vulnerability.family.id
+ ignore_missing: true
+ - append:
+ field: vulnerability.category
+ value: '{{{json.family.name}}}'
+ if: ctx?.json?.family?.name != ''
+ - rename:
+ field: json.family.name
+ target_field: tenable_sc.vulnerability.family.name
+ ignore_missing: true
+ - rename:
+ field: json.family.type
+ target_field: tenable_sc.vulnerability.family.type
+ ignore_missing: true
+ - rename:
+ field: json.repository.id
+ target_field: tenable_sc.vulnerability.repository.id
+ ignore_missing: true
+ - rename:
+ field: json.repository.name
+ target_field: tenable_sc.vulnerability.repository.name
+ ignore_missing: true
+ - rename:
+ field: json.repository.description
+ target_field: tenable_sc.vulnerability.repository.description
+ ignore_missing: true
+ - rename:
+ field: json.repository.sciID
+ target_field: tenable_sc.vulnerability.repository.sci_id
+ ignore_missing: true
+ - rename:
+ field: json.repository.dataFormat
+ target_field: tenable_sc.vulnerability.repository.data_format
+ ignore_missing: true
+ - rename:
+ field: json.pluginInfo
+ target_field: tenable_sc.vulnerability.plugin.info
+ ignore_missing: true
+ - script:
+ description: Drops null/empty values recursively
+ lang: painless
+ source: |
+ boolean drop(Object o) {
+ if (o == null || o == "") {
+ return true;
+ } else if (o instanceof Map) {
+ ((Map) o).values().removeIf(v -> drop(v));
+ return (((Map) o).size() == 0);
+ } else if (o instanceof List) {
+ ((List) o).removeIf(v -> drop(v));
+ return (((List) o).length == 0);
+ }
+ return false;
+ }
+ drop(ctx);
+ - remove:
+ field: json
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
+on_failure:
+ - set:
+ field: error.message
+ value: "{{{ _ingest.on_failure_message }}}"
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/agent.yml b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/agent.yml
new file mode 100755
index 0000000000..e313ec8287
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/base-fields.yml b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/base-fields.yml
new file mode 100755
index 0000000000..8911f9b10e
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: tenable_sc
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: tenable_sc.vulnerability
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/ecs.yml b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/ecs.yml
new file mode 100755
index 0000000000..073b1073e5
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/ecs.yml
@@ -0,0 +1,86 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
+ `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory.
+ This field is an array. This will allow proper categorization of some events that fall in multiple categories.
+ name: event.category
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
+ `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.
+ The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
+ name: event.kind
+ type: keyword
+- description: |-
+ This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
+ `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.
+ This field is an array. This will allow proper categorization of some events that fall in multiple event types.
+ name: event.type
+ type: keyword
+- description: All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+ name: related.hosts
+ type: keyword
+- description: All of the IPs seen on your event.
+ name: related.ip
+ type: ip
+- description: List of keywords used to tag each event.
+ name: tags
+ type: keyword
+- description: |-
+ The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories])
+ This field must be an array.
+ name: vulnerability.category
+ type: keyword
+- description: The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/)
+ name: vulnerability.classification
+ type: keyword
+- description: The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description])
+ multi_fields:
+ - name: text
+ type: match_only_text
+ name: vulnerability.description
+ type: keyword
+- description: The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/)
+ name: vulnerability.enumeration
+ type: keyword
+- description: The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID]
+ name: vulnerability.id
+ type: keyword
+- description: The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+ name: vulnerability.severity
+ type: keyword
+- description: A resource that provides additional information, context, and mitigations for the identified vulnerability.
+ name: vulnerability.reference
+ type: keyword
+- description: The report or scan identification number.
+ name: vulnerability.report_id
+ type: keyword
+- description: The name of the vulnerability scanner vendor.
+ name: vulnerability.scanner.vendor
+ type: keyword
+- description: |-
+ Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+ Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document)
+ name: vulnerability.score.base
+ type: float
+- description: |-
+ Scores can range from 0.0 to 10.0, with 10.0 being the most severe.
+ Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document)
+ name: vulnerability.score.temporal
+ type: float
+- description: |-
+ The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.
+ CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss)
+ name: vulnerability.score.version
+ type: keyword
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/fields.yml b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/fields.yml
new file mode 100755
index 0000000000..a8751dd06b
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/fields/fields.yml
@@ -0,0 +1,258 @@
+- name: tenable_sc.vulnerability
+ type: group
+ fields:
+ - name: accept_risk
+ type: keyword
+ description: |
+ N/A
+ - name: base_score
+ type: keyword
+ description: |
+ Intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.
+ - name: bid
+ type: keyword
+ description: |
+ The Bugtraq ID.
+ - name: check_type
+ type: keyword
+ description: |
+ The type of the compliance check that detected the vulnerability.
+ - name: cpe
+ type: keyword
+ description: |
+ The Common Platform Enumeration (CPE) number for the plugin.
+ - name: cvss_v3_vector
+ type: keyword
+ description: |
+ Additional CVSSv3 metrics for the vulnerability.
+ - name: cvss_vector
+ type: keyword
+ description: |
+ Additional CVSSv2 metrics for the vulnerability.
+ - name: custom_hash
+ type: keyword
+ description: |
+ Hash of fields plugin_id, port, protocol, tenable_sc.vulnerability.id for uniqueidentifier of an vulnerability.
+ - name: dns
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: |
+ DNS name
+ - name: exploit
+ type: group
+ fields:
+ - name: is_available
+ type: boolean
+ description: |
+ A value specifying whether a public exploit exists for the vulnerability.
+ - name: ease
+ type: keyword
+ description: |
+ Description of how easy it is to exploit the vulnerability.
+ - name: frameworks
+ type: keyword
+ description: |
+ Framework used by exploit
+ - name: family
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: |
+ Family id of the vulnarebility.
+ - name: name
+ type: keyword
+ description: |
+ Family name of the vulnarebility.
+ - name: type
+ type: keyword
+ description: |
+ Family type of the vulnarebility.
+ - name: first_seen
+ type: date
+ description: |
+ The time and date when a scan first identified the vulnerability.
+ - name: has_been_mitigated
+ type: boolean
+ description: |
+ Indicates whether the vulnerability has been mitigated.
+ - name: host_uniqueness
+ type: keyword
+ description: |
+ Name of the fields used to determine the uniqueness of the host.
+ - name: is_vulnerability_published
+ type: boolean
+ description: |
+ Flag for if vulnerablity is published
+ - name: id
+ type: keyword
+ description: |
+ String containing the values of the field names mentioned in uniqueness concatenated with '_'
+ - name: ip
+ type: keyword
+ description: |
+ The ip address of the asset where a scan found the vulnerability
+ - name: last_seen
+ type: date
+ description: |
+ The time and date when a scan most recently identified the vulnerability.
+ - name: mac
+ type: keyword
+ description: |
+ The MAC address of the asset where a scan found the vulnerability
+ - name: netbios
+ type: group
+ fields:
+ - name: name
+ type: keyword
+ description: |
+ NetBIOS name of the asset where a scan found the vulnerability
+ - name: operating_system
+ type: keyword
+ description: |
+ The operating system of the asset where a scan found the vulnerability.
+ - name: patch
+ type: group
+ fields:
+ - name: is_published
+ type: boolean
+ description: |
+ Flag for if vulnerablity is patched
+ - name: pub_date
+ type: date
+ description: |
+ The date on which the patch for the vulnerability was published.
+ - name: plugin
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: |
+ The ID of the plugin.
+ - name: is_modified
+ type: boolean
+ description: |
+ Flag for if plugin is modified
+ - name: is_published
+ type: boolean
+ description: |
+ Flag for if plugin is published
+ - name: info
+ type: keyword
+ description: |
+ Information regarding the plugin.
+ - name: mod_date
+ type: date
+ description: |
+ The date on which the vulnerability was modified.
+ - name: name
+ type: keyword
+ description: |
+ The name of the plugin.
+ - name: pub_date
+ type: date
+ description: |
+ The date on which the vulnerability was published.
+ - name: text
+ type: keyword
+ description: |
+ Text provided by plugin. (Usually plugin output text)
+ - name: port
+ type: keyword
+ description: |
+ The port the scanner used to communicate with the asset.
+ - name: protocol
+ type: keyword
+ description: |
+ The protocol the scanner used to communicate with the asset.
+ - name: recast_risk
+ type: keyword
+ description: |
+ Modified the severity risk measure of vulnerabilities using recast rules
+ - name: repository
+ type: group
+ fields:
+ - name: data_format
+ type: keyword
+ description: |
+ The data format of the repository
+ - name: description
+ type: keyword
+ description: |
+ The description of the repository.
+ - name: id
+ type: keyword
+ description: |
+ The ID of the repository.
+ - name: name
+ type: keyword
+ description: |
+ The name of the repository.
+ - name: sci_id
+ type: keyword
+ description: |
+ N/A
+ - name: risk_factor
+ type: keyword
+ description: |
+ The risk factor associated with the vulnerability.
+ - name: severity
+ type: group
+ fields:
+ - name: description
+ type: keyword
+ description: |
+ The description of the severity.
+ - name: id
+ type: keyword
+ description: |
+ The code for the severity assigned when a user recasts the risk associated with the vulnerability.
+ - name: solution
+ type: keyword
+ description: |
+ Remediation information for the vulnerability.
+ - name: stig_severity
+ type: keyword
+ description: |
+ Security Technical Implementation Guide (STIG) severity code for the vulnerability.
+ - name: synopsis
+ type: keyword
+ description: |
+ Brief description of the vulnerability.
+ - name: temporal_score
+ type: keyword
+ description: |
+ Characteristics of a vulnerability that change over time but not among user environments.
+ - name: uniqueness
+ type: keyword
+ description: |
+ Name of the fields used to determine the uniqueness of the vulnerability.
+ - name: uuid
+ type: keyword
+ description: |
+ N/A
+ - name: version
+ type: keyword
+ description: |
+ The version of the vulnerability.
+ - name: vpr
+ type: group
+ fields:
+ - name: context
+ type: flattened
+ description: |
+ The matrix of Vulnerability Priority Rating (VPR) for the vulnerability.
+ - name: score
+ type: double
+ description: |
+ The Vulnerability Priority Rating (VPR) score for the vulnerability.
+ - name: vuln_pub_date
+ type: date
+ description: |
+ The date on which the vulnerability was published.
+ - name: xref
+ type: keyword
+ description: |
+ References to third-party information about the vulnerability, exploit, or update associated with the plugin.
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/manifest.yml b/packages/tenable_sc/1.2.2/data_stream/vulnerability/manifest.yml
new file mode 100755
index 0000000000..ef17480e68
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/manifest.yml
@@ -0,0 +1,34 @@
+title: Tenable.sc vulnerability logs
+type: logs
+streams:
+ - input: httpjson
+ vars:
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - tenable_sc-vulnerability
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ template_path: httpjson.yml.hbs
+ title: Tenable.sc vulnerability logs
+ description: Collect Tenable.sc vulnerability logs
diff --git a/packages/tenable_sc/1.2.2/data_stream/vulnerability/sample_event.json b/packages/tenable_sc/1.2.2/data_stream/vulnerability/sample_event.json
new file mode 100755
index 0000000000..c1872bec2d
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/data_stream/vulnerability/sample_event.json
@@ -0,0 +1,207 @@
+{
+ "@timestamp": "2021-09-25T16:08:45.000Z",
+ "agent": {
+ "ephemeral_id": "e54df727-cc1b-4dcf-8dd5-6d4c93723135",
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "data_stream": {
+ "dataset": "tenable_sc.vulnerability",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "snapshot": true,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-02-14T16:32:52.226Z",
+ "dataset": "tenable_sc.vulnerability",
+ "ingested": "2022-02-14T16:32:55Z",
+ "kind": "event",
+ "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}",
+ "type": "info"
+ },
+ "host": {
+ "domain": "lxd",
+ "hostname": "_gateway.lxd",
+ "ip": [
+ "10.238.64.1"
+ ],
+ "mac": [
+ "00-16-3E-A1-12-F7"
+ ],
+ "name": "_gateway",
+ "os": {
+ "full": "Linux Kernel 2.6"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "_gateway.lxd",
+ "_gateway"
+ ],
+ "ip": [
+ "10.238.64.1"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "tenable_sc-vulnerability"
+ ],
+ "tenable_sc": {
+ "vulnerability": {
+ "accept_risk": "0",
+ "base_score": "0.0",
+ "check_type": "remote",
+ "custom_hash": "qVUXK2YtClsBlXncLYHLhVzynYK4hG2NbT0hY6guQm0=",
+ "cvss_v3_vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "cvss_vector": "AV:L/AC:L/Au:N/C:N/I:N/A:N",
+ "dns": {
+ "name": "_gateway.lxd"
+ },
+ "exploit": {
+ "is_available": false
+ },
+ "family": {
+ "id": "30",
+ "name": "General",
+ "type": "active"
+ },
+ "first_seen": "2019-02-27T16:27:52.000Z",
+ "has_been_mitigated": false,
+ "host_uniqueness": "repositoryID,ip,dnsName",
+ "id": "1_10.238.64.1__gateway.lxd",
+ "ip": "10.238.64.1",
+ "is_vulnerability_published": true,
+ "last_seen": "2021-09-25T16:08:45.000Z",
+ "mac": "00-16-3E-A1-12-F7",
+ "operating_system": "Linux Kernel 2.6",
+ "patch": {
+ "is_published": false
+ },
+ "plugin": {
+ "id": "10114",
+ "info": "10114 (0/1) ICMP Timestamp Request Remote Date Disclosure",
+ "is_modified": true,
+ "is_published": true,
+ "mod_date": "2019-10-04T12:00:00.000Z",
+ "name": "ICMP Timestamp Request Remote Date Disclosure",
+ "pub_date": "1999-08-01T12:00:00.000Z",
+ "text": "\u003cplugin_output\u003eThe remote clock is synchronized with the local clock.\n\u003c/plugin_output\u003e"
+ },
+ "port": "0",
+ "protocol": "ICMP",
+ "recast_risk": "0",
+ "repository": {
+ "data_format": "IPv4",
+ "id": "1",
+ "name": "Live",
+ "sci_id": "1"
+ },
+ "risk_factor": "None",
+ "severity": {
+ "description": "Informative",
+ "id": "0"
+ },
+ "solution": "Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).",
+ "synopsis": "It is possible to determine the exact time set on the remote host.",
+ "uniqueness": "repositoryID,ip,dnsName",
+ "version": "1.48",
+ "vpr": {
+ "context": {
+ "_original": [
+ {
+ "id": "age_of_vuln",
+ "name": "Vulnerability Age",
+ "type": "string",
+ "value": "730 days +"
+ },
+ {
+ "id": "cvssV3_impactScore",
+ "name": "CVSS v3 Impact Score",
+ "type": "number",
+ "value": 0
+ },
+ {
+ "id": "exploit_code_maturity",
+ "name": "Exploit Code Maturity",
+ "type": "string",
+ "value": "Unproven"
+ },
+ {
+ "id": "product_coverage",
+ "name": "Product Coverage",
+ "type": "string",
+ "value": "Very High"
+ },
+ {
+ "id": "threat_intensity_last_28",
+ "name": "Threat Intensity",
+ "type": "string",
+ "value": "Very Low"
+ },
+ {
+ "id": "threat_recency",
+ "name": "Threat Recency",
+ "type": "string",
+ "value": "No recorded events"
+ },
+ {
+ "id": "threat_sources_last_28",
+ "name": "Threat Sources",
+ "type": "string",
+ "value": "No recorded events"
+ }
+ ],
+ "age_of_vuln": "730 days +",
+ "cvssV3_impactScore": 0,
+ "exploit_code_maturity": "Unproven",
+ "product_coverage": "Very High",
+ "threat_intensity_last_28": "Very Low",
+ "threat_recency": "No recorded events",
+ "threat_sources_last_28": "No recorded events"
+ },
+ "score": 0.8
+ },
+ "vuln_pub_date": "1995-01-01T12:00:00.000Z",
+ "xref": [
+ "CWE #200"
+ ]
+ }
+ },
+ "vulnerability": {
+ "category": [
+ "General"
+ ],
+ "classification": "CVSS",
+ "description": "The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\n\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.",
+ "enumeration": "CVE",
+ "id": [
+ "CVE-1999-0524"
+ ],
+ "reference": [
+ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0524"
+ ],
+ "scanner": {
+ "vendor": "Tenable"
+ },
+ "score": {
+ "base": 0,
+ "version": "3.0"
+ },
+ "severity": "Info"
+ }
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/docs/README.md b/packages/tenable_sc/1.2.2/docs/README.md
new file mode 100755
index 0000000000..a911c3d5d1
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/docs/README.md
@@ -0,0 +1,807 @@
+# Tenable.sc
+
+The Tenable.sc integration collects and parses data from the [Tenable.sc](https://docs.tenable.com/tenablesc/Content/Welcome.htm) APIs.
+
+## Compatibility
+
+This module has been tested against `Tenable.sc version 5.18`
+
+## Requirements
+
+In order to ingest data from the Tenable.sc you must have the **Access key** and **Secret Key**.
+
+Enable API keys to allow users to perform API key authentication.
+
+See Tenable's documentation for more information on:
+
+* [Enabling API Key Authentication](https://docs.tenable.com/tenablesc/Content/EnableAPIKeys.htm)
+* [Generating API keys]( https://docs.tenable.com/tenablesc/Content/GenerateAPIKey.htm)
+
+> Note: The default value is the recommended value for a batch size by Tenable. It can be found under _Advanced Options_ and can be configured as per requirements. A very large value might not work as intended depending on the API and instance limitations.
+
+## Logs
+
+### Asset
+
+This is the `asset` dataset.
+
+An example event for `asset` looks as following:
+
+```json
+{
+ "@timestamp": "2022-02-14T16:30:33.654Z",
+ "agent": {
+ "ephemeral_id": "2bf50bac-f76f-4c1a-b758-e2f62bffd73d",
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "data_stream": {
+ "dataset": "tenable_sc.asset",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "snapshot": true,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "host",
+ "created": "2022-02-14T16:30:33.654Z",
+ "dataset": "tenable_sc.asset",
+ "ingested": "2022-02-14T16:30:37Z",
+ "kind": "state",
+ "original": "{\"biosGUID\":\"9e8c4d43-982b-4405-a76c-d56c1d6cf117\",\"dnsName\":\"rnkmigauv2l8zeyf.example\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"0.0.228.153\",\"lastAuthRun\":\"\",\"lastUnauthRun\":\"\",\"macAddress\":\"00:00:00:47:05:0d\",\"mcafeeGUID\":\"\",\"netbiosName\":\"UNKNOWN\\\\RNKMIGAUV2L8ZEYF.EXAMPLE\",\"osCPE\":\"cpe:/o:microsoft:windows_10:::x64-home\",\"pluginSet\":\"201901281542\",\"policyName\":\"Basic Agent Scan\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"2\",\"name\":\"Staged-Large\",\"sciID\":\"1\"},\"score\":\"307\",\"severityCritical\":\"6\",\"severityHigh\":\"4\",\"severityInfo\":\"131\",\"severityLow\":\"0\",\"severityMedium\":\"9\",\"total\":\"150\",\"tpmID\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"4add65d0-27fc-491c-91ba-3f498a61f49e\"}",
+ "type": "info"
+ },
+ "host": {
+ "domain": "example",
+ "hostname": "rnkmigauv2l8zeyf.example",
+ "ip": [
+ "0.0.228.153"
+ ],
+ "mac": [
+ "00-00-00-47-05-0D"
+ ],
+ "name": "rnkmigauv2l8zeyf"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "rnkmigauv2l8zeyf.example",
+ "rnkmigauv2l8zeyf",
+ "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
+ ],
+ "ip": [
+ "0.0.228.153"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "tenable_sc-asset"
+ ],
+ "tenable_sc": {
+ "asset": {
+ "bios": {
+ "guid": "9e8c4d43-982b-4405-a76c-d56c1d6cf117"
+ },
+ "custom_hash": "ilZiksv+pbvyBkKXgFRLGuMuUovfGI0pjIX5yLMp+I8=",
+ "dns": {
+ "name": "rnkmigauv2l8zeyf.example"
+ },
+ "host_uniqueness": "repositoryID,ip,dnsName",
+ "ip": "0.0.228.153",
+ "mac": "00-00-00-47-05-0D",
+ "netbios": {
+ "name": "UNKNOWN\\RNKMIGAUV2L8ZEYF.EXAMPLE"
+ },
+ "os_cpe": "cpe:/o:microsoft:windows_10:::x64-home",
+ "plugin_set": "201901281542",
+ "policy": {
+ "name": "Basic Agent Scan"
+ },
+ "repository": {
+ "data_format": "IPv4",
+ "id": "2",
+ "name": "Staged-Large",
+ "sci": {
+ "id": "1"
+ }
+ },
+ "score": 307,
+ "severity": {
+ "critical": 6,
+ "high": 4,
+ "info": 131,
+ "low": 0,
+ "medium": 9
+ },
+ "total": 150,
+ "uniqueness": "repositoryID,ip,dnsName",
+ "uuid": "4add65d0-27fc-491c-91ba-3f498a61f49e"
+ }
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| tenable_sc.asset.bios.guid | GUID of bios | keyword |
+| tenable_sc.asset.custom_hash | Hash representing the values of the field names mentioned in uniqueness field in order to uniquely identify an asset. | keyword |
+| tenable_sc.asset.dns.name | DNS name of the asset | keyword |
+| tenable_sc.asset.host_uniqueness | Host Uniqueness | keyword |
+| tenable_sc.asset.ip | The IPv4 address of the asset. | keyword |
+| tenable_sc.asset.last_auth_run | The timestamp of last auth run | keyword |
+| tenable_sc.asset.last_unauth_run | The timestamp of last unauth run | keyword |
+| tenable_sc.asset.mac | The mac address of the asset | keyword |
+| tenable_sc.asset.mcafee.guid | GUID of McAfee. | keyword |
+| tenable_sc.asset.netbios.name | Name of netbios of the asset | keyword |
+| tenable_sc.asset.os_cpe | OS CPE (Common Platform Enumeration is a standardized way to name software applications, operating systems, and hardware platforms) | keyword |
+| tenable_sc.asset.plugin_set | The plugin set the asset fall in. | keyword |
+| tenable_sc.asset.policy.name | The name of the policy that is assigned to the asset | keyword |
+| tenable_sc.asset.repository.data_format | Data format. | keyword |
+| tenable_sc.asset.repository.description | Description of repository. | keyword |
+| tenable_sc.asset.repository.id | ID of repository the asset belongs to. | keyword |
+| tenable_sc.asset.repository.name | Name of repository the asset belongs to. | keyword |
+| tenable_sc.asset.repository.sci.id | Sci ID. | keyword |
+| tenable_sc.asset.score | The score of the asset | long |
+| tenable_sc.asset.severity.critical | The critical score of the asset | long |
+| tenable_sc.asset.severity.high | The high score of the asset | long |
+| tenable_sc.asset.severity.info | The info score of the asset | long |
+| tenable_sc.asset.severity.low | The low score of the asset | long |
+| tenable_sc.asset.severity.medium | The medium score of the asset | long |
+| tenable_sc.asset.total | The total score for the asset | long |
+| tenable_sc.asset.tpm.id | The ID of TPM. | keyword |
+| tenable_sc.asset.uniqueness | Uniqueness | keyword |
+| tenable_sc.asset.uuid | The uuid of the asset. | keyword |
+
+
+### Plugin
+
+This is the `plugin` dataset.
+
+An example event for `plugin` looks as following:
+
+```json
+{
+ "@timestamp": "2021-09-27T01:33:53.000Z",
+ "agent": {
+ "ephemeral_id": "a8c9d489-b7e1-486f-b50e-7b2cba60651a",
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "data_stream": {
+ "dataset": "tenable_sc.plugin",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "snapshot": true,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "created": "2022-02-14T16:31:46.081Z",
+ "dataset": "tenable_sc.plugin",
+ "ingested": "2022-02-14T16:31:49Z",
+ "kind": "event",
+ "original": "{\"baseScore\":\"7.8\",\"checkType\":\"remote\",\"copyright\":\"This script is Copyright (C) 2003-2020 John Lampe\",\"cpe\":\"\",\"cvssV3BaseScore\":null,\"cvssV3TemporalScore\":null,\"cvssV3Vector\":\"\",\"cvssV3VectorBF\":\"0\",\"cvssVector\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C\",\"cvssVectorBF\":\"2164920932\",\"dependencies\":\"find_service1.nasl,http_version.nasl,www_fingerprinting_hmap.nasl\",\"description\":\"Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\\n\\nIf this machine serves a business-critical function, there could be an impact to the business.\",\"dstPort\":null,\"exploitAvailable\":\"false\",\"exploitEase\":\"No known exploits are available\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"11\",\"name\":\"Web Servers\",\"type\":\"active\"},\"id\":\"10585\",\"md5\":\"38b2147401eb5c3a15af52182682f345\",\"modifiedTime\":\"1632706433\",\"name\":\"Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS\",\"patchModDate\":\"-1\",\"patchPubDate\":\"-1\",\"pluginModDate\":\"1591963200\",\"pluginPubDate\":\"1058875200\",\"protocol\":\"\",\"requiredPorts\":\"\",\"requiredUDPPorts\":\"\",\"riskFactor\":\"High\",\"seeAlso\":\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100\",\"solution\":\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\",\"sourceFile\":\"IIS_frontpage_DOS_2.nasl\",\"srcPort\":null,\"stigSeverity\":null,\"synopsis\":\"The remote web server is vulnerable to a denial of service\",\"temporalScore\":\"5.8\",\"type\":\"active\",\"version\":\"1.28\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":3.6000000000000001},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Low\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"\\u003e 365 days\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"4.4\",\"vulnPubDate\":\"977486400\",\"xrefs\":\"CVE:CVE-2001-0096, BID:2144, MSFT:MS00-100, MSKB:280322\"}",
+ "type": "info"
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "tenable_sc-plugin"
+ ],
+ "tenable_sc": {
+ "plugin": {
+ "base_score": 7.8,
+ "check_type": "remote",
+ "copyright": "This script is Copyright (C) 2003-2020 John Lampe",
+ "cvss_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C",
+ "cvss_vector_bf": "2164920932",
+ "dependencies": [
+ "find_service1.nasl",
+ "http_version.nasl",
+ "www_fingerprinting_hmap.nasl"
+ ],
+ "description": "Microsoft IIS, running Frontpage extensions, is vulnerable to a remote denial of service attack usually called the 'malformed web submission' vulnerability. An attacker, exploiting this vulnerability, will be able to render the service unusable.\n\nIf this machine serves a business-critical function, there could be an impact to the business.",
+ "exploit": {
+ "ease": "No known exploits are available",
+ "is_available": "false"
+ },
+ "family": {
+ "id": "11",
+ "name": "Web Servers",
+ "type": "active"
+ },
+ "id": "10585",
+ "is_patch_modified": false,
+ "is_patch_published": false,
+ "is_plugin_modified": true,
+ "is_plugin_published": true,
+ "is_vulnerability_published": true,
+ "md5": "38b2147401eb5c3a15af52182682f345",
+ "modified_time": "2021-09-27T01:33:53.000Z",
+ "name": "Microsoft IIS Frontpage Server Extensions (FPSE) Malformed Form DoS",
+ "plugin_mod_date": "2020-06-12T12:00:00.000Z",
+ "plugin_pub_date": "2003-07-22T12:00:00.000Z",
+ "risk_factor": "High",
+ "see_also": [
+ "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-100"
+ ],
+ "solution": "Microsoft has released a set of patches for IIS 4.0 and 5.0.",
+ "source_file": "IIS_frontpage_DOS_2.nasl",
+ "synopsis": "The remote web server is vulnerable to a denial of service",
+ "temporal_score": 5.8,
+ "type": "active",
+ "version": 1.28,
+ "vpr": {
+ "context": {
+ "_original": [
+ {
+ "id": "age_of_vuln",
+ "name": "Vulnerability Age",
+ "type": "string",
+ "value": "730 days +"
+ },
+ {
+ "id": "cvssV3_impactScore",
+ "name": "CVSS v3 Impact Score",
+ "type": "number",
+ "value": 3.6
+ },
+ {
+ "id": "exploit_code_maturity",
+ "name": "Exploit Code Maturity",
+ "type": "string",
+ "value": "Unproven"
+ },
+ {
+ "id": "product_coverage",
+ "name": "Product Coverage",
+ "type": "string",
+ "value": "Low"
+ },
+ {
+ "id": "threat_intensity_last_28",
+ "name": "Threat Intensity",
+ "type": "string",
+ "value": "Very Low"
+ },
+ {
+ "id": "threat_recency",
+ "name": "Threat Recency",
+ "type": "string",
+ "value": "\u003e 365 days"
+ },
+ {
+ "id": "threat_sources_last_28",
+ "name": "Threat Sources",
+ "type": "string",
+ "value": "No recorded events"
+ }
+ ],
+ "age_of_vuln": "730 days +",
+ "cvssV3_impactScore": 3.6,
+ "exploit_code_maturity": "Unproven",
+ "product_coverage": "Low",
+ "threat_intensity_last_28": "Very Low",
+ "threat_recency": "\u003e 365 days",
+ "threat_sources_last_28": "No recorded events"
+ },
+ "score": 4.4
+ },
+ "vuln_pub_date": "2000-12-22T12:00:00.000Z",
+ "xrefs": [
+ "CVE:CVE-2001-0096",
+ "BID:2144",
+ "MSFT:MS00-100",
+ "MSKB:280322"
+ ]
+ }
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| tags | List of keywords used to tag each event. | keyword |
+| tenable_sc.plugin.base_score | The CVSSv2 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). | double |
+| tenable_sc.plugin.check_type | The type of the compliance check that detected the vulnerability. | keyword |
+| tenable_sc.plugin.copyright | The copyright information related to the plugin. | keyword |
+| tenable_sc.plugin.cpe | A list of plugin target systems identified by Common Platform Enumeration (CPE). | keyword |
+| tenable_sc.plugin.cvss_vector | The raw CVSSv2 metrics for the vulnerability. For more information, see CVSSv2 documentation. | keyword |
+| tenable_sc.plugin.cvss_vector_bf | N/A | keyword |
+| tenable_sc.plugin.cvssv3_base_score | The CVSSv3 base score (intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments). | double |
+| tenable_sc.plugin.cvssv3_temporal_score | The CVSSv3 temporal metrics for the vulnerability. | double |
+| tenable_sc.plugin.cvssv3_vector | The raw CVSSv3 metrics for the vulnerability. For more information, see CVSSv3 documentation. | keyword |
+| tenable_sc.plugin.cvssv3_vector_bf | N/A | keyword |
+| tenable_sc.plugin.dependencies | N/A | keyword |
+| tenable_sc.plugin.description | The extended description of the plugin. | keyword |
+| tenable_sc.plugin.dst_port | Destination port | long |
+| tenable_sc.plugin.exploit.ease | Description of how easy it is to exploit the vulnerability. | keyword |
+| tenable_sc.plugin.exploit.frameworks | Frameworks used by the exploit | keyword |
+| tenable_sc.plugin.exploit.is_available | Indicates whether a known public exploit exists for the vulnerability. | boolean |
+| tenable_sc.plugin.family.id | The ID of the plugin family. | keyword |
+| tenable_sc.plugin.family.name | The name of the plugin family. | keyword |
+| tenable_sc.plugin.family.type | The type of the plugin family. | keyword |
+| tenable_sc.plugin.id | The ID of the plugin. | keyword |
+| tenable_sc.plugin.is_patch_modified | Flag for if patch is modified | boolean |
+| tenable_sc.plugin.is_patch_published | Flag for if patch is published | boolean |
+| tenable_sc.plugin.is_plugin_modified | Flag for if plugin is modified | boolean |
+| tenable_sc.plugin.is_plugin_published | Flag for if plugin is published | boolean |
+| tenable_sc.plugin.is_vulnerability_published | Flag for if vulnerability is published | boolean |
+| tenable_sc.plugin.md5 | N/A | keyword |
+| tenable_sc.plugin.modified_time | Timestamp of last modification in plugin | date |
+| tenable_sc.plugin.name | The name of the plugin. | keyword |
+| tenable_sc.plugin.patch_mod_date | The date when the vendor modified the patch for the vulnerability. | date |
+| tenable_sc.plugin.patch_pub_date | The date when the vendor published a patch for the vulnerability. | date |
+| tenable_sc.plugin.plugin_mod_date | The date when Tenable last updated the plugin. | date |
+| tenable_sc.plugin.plugin_pub_date | The date when Tenable originally published the plugin. | date |
+| tenable_sc.plugin.protocol | Protocol used by the vulnerability | keyword |
+| tenable_sc.plugin.required_ports | N/A | keyword |
+| tenable_sc.plugin.required_udp_ports | N/A | keyword |
+| tenable_sc.plugin.risk_factor | The risk factor associated with the plugin. | keyword |
+| tenable_sc.plugin.see_also | Links to external websites that contain helpful information about the vulnerability. | keyword |
+| tenable_sc.plugin.solution | Remediation information for the vulnerability. | keyword |
+| tenable_sc.plugin.source | N/A | keyword |
+| tenable_sc.plugin.source_file | N/A | keyword |
+| tenable_sc.plugin.src_port | Source port. | long |
+| tenable_sc.plugin.stig_severity | STIG severity code for the vulnarebility. | keyword |
+| tenable_sc.plugin.synopsis | A brief summary of the vulnerability or vulnerabilities associated with the plugin. | keyword |
+| tenable_sc.plugin.temporal_score | The raw CVSSv2 temporal metrics for the vulnerability. | double |
+| tenable_sc.plugin.type | The type of the plugin. | keyword |
+| tenable_sc.plugin.version | The version of the plugin. | version |
+| tenable_sc.plugin.vpr.context | The matrix of Vulnerability Priority Rating (VPR) for the vulnerability. | flattened |
+| tenable_sc.plugin.vpr.score | The Vulnerability Priority Rating (VPR) score for the vulnerability. | double |
+| tenable_sc.plugin.vuln_pub_date | Vulnarebility publish date. | date |
+| tenable_sc.plugin.xrefs | References to third-party information about the vulnerability, exploit, or update associated with the plugin presented as an array of objects. | keyword |
+
+
+### Vulnerability
+
+This is the `vulnerability` dataset.
+
+An example event for `vulnerability` looks as following:
+
+```json
+{
+ "@timestamp": "2021-09-25T16:08:45.000Z",
+ "agent": {
+ "ephemeral_id": "e54df727-cc1b-4dcf-8dd5-6d4c93723135",
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "name": "docker-fleet-agent",
+ "type": "filebeat",
+ "version": "8.2.0"
+ },
+ "data_stream": {
+ "dataset": "tenable_sc.vulnerability",
+ "namespace": "ep",
+ "type": "logs"
+ },
+ "ecs": {
+ "version": "8.2.0"
+ },
+ "elastic_agent": {
+ "id": "ecf3f02f-66cb-4b07-8a38-d84956c78dcc",
+ "snapshot": true,
+ "version": "8.2.0"
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "category": "threat",
+ "created": "2022-02-14T16:32:52.226Z",
+ "dataset": "tenable_sc.vulnerability",
+ "ingested": "2022-02-14T16:32:55Z",
+ "kind": "event",
+ "original": "{\"acceptRisk\":\"0\",\"baseScore\":\"0.0\",\"bid\":\"\",\"checkType\":\"remote\",\"cpe\":\"\",\"cve\":\"CVE-1999-0524\",\"cvssV3BaseScore\":\"0.0\",\"cvssV3TemporalScore\":\"\",\"cvssV3Vector\":\"AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\",\"cvssVector\":\"AV:L/AC:L/Au:N/C:N/I:N/A:N\",\"description\":\"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\\n\\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.\",\"dnsName\":\"_gateway.lxd\",\"exploitAvailable\":\"No\",\"exploitEase\":\"\",\"exploitFrameworks\":\"\",\"family\":{\"id\":\"30\",\"name\":\"General\",\"type\":\"active\"},\"firstSeen\":\"1551284872\",\"hasBeenMitigated\":\"0\",\"hostUniqueness\":\"repositoryID,ip,dnsName\",\"ip\":\"10.238.64.1\",\"ips\":\"10.238.64.1\",\"lastSeen\":\"1632586125\",\"macAddress\":\"00:16:3e:a1:12:f7\",\"netbiosName\":\"\",\"operatingSystem\":\"Linux Kernel 2.6\",\"patchPubDate\":\"-1\",\"pluginID\":\"10114\",\"pluginInfo\":\"10114 (0/1) ICMP Timestamp Request Remote Date Disclosure\",\"pluginModDate\":\"1570190400\",\"pluginName\":\"ICMP Timestamp Request Remote Date Disclosure\",\"pluginPubDate\":\"933508800\",\"pluginText\":\"\\u003cplugin_output\\u003eThe remote clock is synchronized with the local clock.\\n\\u003c/plugin_output\\u003e\",\"port\":\"0\",\"protocol\":\"ICMP\",\"recastRisk\":\"0\",\"repository\":{\"dataFormat\":\"IPv4\",\"description\":\"\",\"id\":\"1\",\"name\":\"Live\",\"sciID\":\"1\"},\"riskFactor\":\"None\",\"seeAlso\":\"\",\"severity\":{\"description\":\"Informative\",\"id\":\"0\",\"name\":\"Info\"},\"solution\":\"Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).\",\"stigSeverity\":\"\",\"synopsis\":\"It is possible to determine the exact time set on the remote host.\",\"temporalScore\":\"\",\"uniqueness\":\"repositoryID,ip,dnsName\",\"uuid\":\"\",\"version\":\"1.48\",\"vprContext\":\"[{\\\"id\\\":\\\"age_of_vuln\\\",\\\"name\\\":\\\"Vulnerability Age\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"730 days +\\\"},{\\\"id\\\":\\\"cvssV3_impactScore\\\",\\\"name\\\":\\\"CVSS v3 Impact Score\\\",\\\"type\\\":\\\"number\\\",\\\"value\\\":0},{\\\"id\\\":\\\"exploit_code_maturity\\\",\\\"name\\\":\\\"Exploit Code Maturity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Unproven\\\"},{\\\"id\\\":\\\"product_coverage\\\",\\\"name\\\":\\\"Product Coverage\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very High\\\"},{\\\"id\\\":\\\"threat_intensity_last_28\\\",\\\"name\\\":\\\"Threat Intensity\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"Very Low\\\"},{\\\"id\\\":\\\"threat_recency\\\",\\\"name\\\":\\\"Threat Recency\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"},{\\\"id\\\":\\\"threat_sources_last_28\\\",\\\"name\\\":\\\"Threat Sources\\\",\\\"type\\\":\\\"string\\\",\\\"value\\\":\\\"No recorded events\\\"}]\",\"vprScore\":\"0.8\",\"vulnPubDate\":\"788961600\",\"xref\":\"CWE #200\"}",
+ "type": "info"
+ },
+ "host": {
+ "domain": "lxd",
+ "hostname": "_gateway.lxd",
+ "ip": [
+ "10.238.64.1"
+ ],
+ "mac": [
+ "00-16-3E-A1-12-F7"
+ ],
+ "name": "_gateway",
+ "os": {
+ "full": "Linux Kernel 2.6"
+ }
+ },
+ "input": {
+ "type": "httpjson"
+ },
+ "related": {
+ "hosts": [
+ "_gateway.lxd",
+ "_gateway"
+ ],
+ "ip": [
+ "10.238.64.1"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "forwarded",
+ "tenable_sc-vulnerability"
+ ],
+ "tenable_sc": {
+ "vulnerability": {
+ "accept_risk": "0",
+ "base_score": "0.0",
+ "check_type": "remote",
+ "custom_hash": "qVUXK2YtClsBlXncLYHLhVzynYK4hG2NbT0hY6guQm0=",
+ "cvss_v3_vector": "AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "cvss_vector": "AV:L/AC:L/Au:N/C:N/I:N/A:N",
+ "dns": {
+ "name": "_gateway.lxd"
+ },
+ "exploit": {
+ "is_available": false
+ },
+ "family": {
+ "id": "30",
+ "name": "General",
+ "type": "active"
+ },
+ "first_seen": "2019-02-27T16:27:52.000Z",
+ "has_been_mitigated": false,
+ "host_uniqueness": "repositoryID,ip,dnsName",
+ "id": "1_10.238.64.1__gateway.lxd",
+ "ip": "10.238.64.1",
+ "is_vulnerability_published": true,
+ "last_seen": "2021-09-25T16:08:45.000Z",
+ "mac": "00-16-3E-A1-12-F7",
+ "operating_system": "Linux Kernel 2.6",
+ "patch": {
+ "is_published": false
+ },
+ "plugin": {
+ "id": "10114",
+ "info": "10114 (0/1) ICMP Timestamp Request Remote Date Disclosure",
+ "is_modified": true,
+ "is_published": true,
+ "mod_date": "2019-10-04T12:00:00.000Z",
+ "name": "ICMP Timestamp Request Remote Date Disclosure",
+ "pub_date": "1999-08-01T12:00:00.000Z",
+ "text": "\u003cplugin_output\u003eThe remote clock is synchronized with the local clock.\n\u003c/plugin_output\u003e"
+ },
+ "port": "0",
+ "protocol": "ICMP",
+ "recast_risk": "0",
+ "repository": {
+ "data_format": "IPv4",
+ "id": "1",
+ "name": "Live",
+ "sci_id": "1"
+ },
+ "risk_factor": "None",
+ "severity": {
+ "description": "Informative",
+ "id": "0"
+ },
+ "solution": "Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).",
+ "synopsis": "It is possible to determine the exact time set on the remote host.",
+ "uniqueness": "repositoryID,ip,dnsName",
+ "version": "1.48",
+ "vpr": {
+ "context": {
+ "_original": [
+ {
+ "id": "age_of_vuln",
+ "name": "Vulnerability Age",
+ "type": "string",
+ "value": "730 days +"
+ },
+ {
+ "id": "cvssV3_impactScore",
+ "name": "CVSS v3 Impact Score",
+ "type": "number",
+ "value": 0
+ },
+ {
+ "id": "exploit_code_maturity",
+ "name": "Exploit Code Maturity",
+ "type": "string",
+ "value": "Unproven"
+ },
+ {
+ "id": "product_coverage",
+ "name": "Product Coverage",
+ "type": "string",
+ "value": "Very High"
+ },
+ {
+ "id": "threat_intensity_last_28",
+ "name": "Threat Intensity",
+ "type": "string",
+ "value": "Very Low"
+ },
+ {
+ "id": "threat_recency",
+ "name": "Threat Recency",
+ "type": "string",
+ "value": "No recorded events"
+ },
+ {
+ "id": "threat_sources_last_28",
+ "name": "Threat Sources",
+ "type": "string",
+ "value": "No recorded events"
+ }
+ ],
+ "age_of_vuln": "730 days +",
+ "cvssV3_impactScore": 0,
+ "exploit_code_maturity": "Unproven",
+ "product_coverage": "Very High",
+ "threat_intensity_last_28": "Very Low",
+ "threat_recency": "No recorded events",
+ "threat_sources_last_28": "No recorded events"
+ },
+ "score": 0.8
+ },
+ "vuln_pub_date": "1995-01-01T12:00:00.000Z",
+ "xref": [
+ "CWE #200"
+ ]
+ }
+ },
+ "vulnerability": {
+ "category": [
+ "General"
+ ],
+ "classification": "CVSS",
+ "description": "The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.\n\nTimestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.",
+ "enumeration": "CVE",
+ "id": [
+ "CVE-1999-0524"
+ ],
+ "reference": [
+ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0524"
+ ],
+ "scanner": {
+ "vendor": "Tenable"
+ },
+ "score": {
+ "base": 0,
+ "version": "3.0"
+ },
+ "severity": "Info"
+ }
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Input type | keyword |
+| log.offset | Log offset | long |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| tenable_sc.vulnerability.accept_risk | N/A | keyword |
+| tenable_sc.vulnerability.base_score | Intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. | keyword |
+| tenable_sc.vulnerability.bid | The Bugtraq ID. | keyword |
+| tenable_sc.vulnerability.check_type | The type of the compliance check that detected the vulnerability. | keyword |
+| tenable_sc.vulnerability.cpe | The Common Platform Enumeration (CPE) number for the plugin. | keyword |
+| tenable_sc.vulnerability.custom_hash | Hash of fields plugin_id, port, protocol, tenable_sc.vulnerability.id for uniqueidentifier of an vulnerability. | keyword |
+| tenable_sc.vulnerability.cvss_v3_vector | Additional CVSSv3 metrics for the vulnerability. | keyword |
+| tenable_sc.vulnerability.cvss_vector | Additional CVSSv2 metrics for the vulnerability. | keyword |
+| tenable_sc.vulnerability.dns.name | DNS name | keyword |
+| tenable_sc.vulnerability.exploit.ease | Description of how easy it is to exploit the vulnerability. | keyword |
+| tenable_sc.vulnerability.exploit.frameworks | Framework used by exploit | keyword |
+| tenable_sc.vulnerability.exploit.is_available | A value specifying whether a public exploit exists for the vulnerability. | boolean |
+| tenable_sc.vulnerability.family.id | Family id of the vulnarebility. | keyword |
+| tenable_sc.vulnerability.family.name | Family name of the vulnarebility. | keyword |
+| tenable_sc.vulnerability.family.type | Family type of the vulnarebility. | keyword |
+| tenable_sc.vulnerability.first_seen | The time and date when a scan first identified the vulnerability. | date |
+| tenable_sc.vulnerability.has_been_mitigated | Indicates whether the vulnerability has been mitigated. | boolean |
+| tenable_sc.vulnerability.host_uniqueness | Name of the fields used to determine the uniqueness of the host. | keyword |
+| tenable_sc.vulnerability.id | String containing the values of the field names mentioned in uniqueness concatenated with '_' | keyword |
+| tenable_sc.vulnerability.ip | The ip address of the asset where a scan found the vulnerability | keyword |
+| tenable_sc.vulnerability.is_vulnerability_published | Flag for if vulnerablity is published | boolean |
+| tenable_sc.vulnerability.last_seen | The time and date when a scan most recently identified the vulnerability. | date |
+| tenable_sc.vulnerability.mac | The MAC address of the asset where a scan found the vulnerability | keyword |
+| tenable_sc.vulnerability.netbios.name | NetBIOS name of the asset where a scan found the vulnerability | keyword |
+| tenable_sc.vulnerability.operating_system | The operating system of the asset where a scan found the vulnerability. | keyword |
+| tenable_sc.vulnerability.patch.is_published | Flag for if vulnerablity is patched | boolean |
+| tenable_sc.vulnerability.patch.pub_date | The date on which the patch for the vulnerability was published. | date |
+| tenable_sc.vulnerability.plugin.id | The ID of the plugin. | keyword |
+| tenable_sc.vulnerability.plugin.info | Information regarding the plugin. | keyword |
+| tenable_sc.vulnerability.plugin.is_modified | Flag for if plugin is modified | boolean |
+| tenable_sc.vulnerability.plugin.is_published | Flag for if plugin is published | boolean |
+| tenable_sc.vulnerability.plugin.mod_date | The date on which the vulnerability was modified. | date |
+| tenable_sc.vulnerability.plugin.name | The name of the plugin. | keyword |
+| tenable_sc.vulnerability.plugin.pub_date | The date on which the vulnerability was published. | date |
+| tenable_sc.vulnerability.plugin.text | Text provided by plugin. (Usually plugin output text) | keyword |
+| tenable_sc.vulnerability.port | The port the scanner used to communicate with the asset. | keyword |
+| tenable_sc.vulnerability.protocol | The protocol the scanner used to communicate with the asset. | keyword |
+| tenable_sc.vulnerability.recast_risk | Modified the severity risk measure of vulnerabilities using recast rules | keyword |
+| tenable_sc.vulnerability.repository.data_format | The data format of the repository | keyword |
+| tenable_sc.vulnerability.repository.description | The description of the repository. | keyword |
+| tenable_sc.vulnerability.repository.id | The ID of the repository. | keyword |
+| tenable_sc.vulnerability.repository.name | The name of the repository. | keyword |
+| tenable_sc.vulnerability.repository.sci_id | N/A | keyword |
+| tenable_sc.vulnerability.risk_factor | The risk factor associated with the vulnerability. | keyword |
+| tenable_sc.vulnerability.severity.description | The description of the severity. | keyword |
+| tenable_sc.vulnerability.severity.id | The code for the severity assigned when a user recasts the risk associated with the vulnerability. | keyword |
+| tenable_sc.vulnerability.solution | Remediation information for the vulnerability. | keyword |
+| tenable_sc.vulnerability.stig_severity | Security Technical Implementation Guide (STIG) severity code for the vulnerability. | keyword |
+| tenable_sc.vulnerability.synopsis | Brief description of the vulnerability. | keyword |
+| tenable_sc.vulnerability.temporal_score | Characteristics of a vulnerability that change over time but not among user environments. | keyword |
+| tenable_sc.vulnerability.uniqueness | Name of the fields used to determine the uniqueness of the vulnerability. | keyword |
+| tenable_sc.vulnerability.uuid | N/A | keyword |
+| tenable_sc.vulnerability.version | The version of the vulnerability. | keyword |
+| tenable_sc.vulnerability.vpr.context | The matrix of Vulnerability Priority Rating (VPR) for the vulnerability. | flattened |
+| tenable_sc.vulnerability.vpr.score | The Vulnerability Priority Rating (VPR) score for the vulnerability. | double |
+| tenable_sc.vulnerability.vuln_pub_date | The date on which the vulnerability was published. | date |
+| tenable_sc.vulnerability.xref | References to third-party information about the vulnerability, exploit, or update associated with the plugin. | keyword |
+| vulnerability.category | The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) This field must be an array. | keyword |
+| vulnerability.classification | The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) | keyword |
+| vulnerability.description | The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) | keyword |
+| vulnerability.description.text | Multi-field of `vulnerability.description`. | match_only_text |
+| vulnerability.enumeration | The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) | keyword |
+| vulnerability.id | The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] | keyword |
+| vulnerability.reference | A resource that provides additional information, context, and mitigations for the identified vulnerability. | keyword |
+| vulnerability.report_id | The report or scan identification number. | keyword |
+| vulnerability.scanner.vendor | The name of the vulnerability scanner vendor. | keyword |
+| vulnerability.score.base | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.score.temporal | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) | float |
+| vulnerability.score.version | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
+| vulnerability.severity | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) | keyword |
diff --git a/packages/tenable_sc/1.2.2/img/tenable_sc-logo.svg b/packages/tenable_sc/1.2.2/img/tenable_sc-logo.svg
new file mode 100755
index 0000000000..d8ccf27ba3
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/img/tenable_sc-logo.svg
@@ -0,0 +1,87 @@
+
+
+
diff --git a/packages/tenable_sc/1.2.2/img/tenable_sc-screenshot.png b/packages/tenable_sc/1.2.2/img/tenable_sc-screenshot.png
new file mode 100755
index 0000000000..b515846cff
Binary files /dev/null and b/packages/tenable_sc/1.2.2/img/tenable_sc-screenshot.png differ
diff --git a/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-726dfad0-2c0d-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-726dfad0-2c0d-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..e0f9fe5220
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-726dfad0-2c0d-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,54 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"249b5ebe-82ed-4d42-9dad-e6f150b320a3\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"249b5ebe-82ed-4d42-9dad-e6f150b320a3\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"8aa83051-d31f-414d-83de-55d4999dab13\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"8aa83051-d31f-414d-83de-55d4999dab13\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"params\":{\"colWidth\":[{\"colIndex\":0,\"width\":543}]}}},\"gridData\":{\"h\":15,\"i\":\"67693723-8202-4c0d-9b37-8b42cea0d511\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"67693723-8202-4c0d-9b37-8b42cea0d511\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"133ae7d6-9129-468c-8e2f-b22753ff092f\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"133ae7d6-9129-468c-8e2f-b22753ff092f\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"b9a78373-1b89-4c61-8a77-cc91d185503a\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"b9a78373-1b89-4c61-8a77-cc91d185503a\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"2cd3b9f8-370d-4303-85f6-cd1e59608cbf\",\"w\":24,\"x\":24,\"y\":30},\"panelIndex\":\"2cd3b9f8-370d-4303-85f6-cd1e59608cbf\",\"panelRefName\":\"panel_5\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Tenable SC] Plugins",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-726dfad0-2c0d-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "dashboard": "7.16.0"
+ },
+ "references": [
+ {
+ "id": "tenable_sc-68ce24a0-2c0d-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-c7547240-2c0d-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-12120d60-2c0e-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-578e2360-2c0e-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-8dd5b500-2c0e-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-dc64f5b0-2ccb-11ec-af51-75b163cdcc43",
+ "name": "panel_5",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard",
+ "updated_at": "2021-10-26T09:26:13.313Z",
+ "version": "WzQwMjMsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-b9b277f0-2c11-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-b9b277f0-2c11-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..5f55bb19bb
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-b9b277f0-2c11-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,67 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"e3625770-e6f9-45aa-810a-ea7d32c48b74\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"e3625770-e6f9-45aa-810a-ea7d32c48b74\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":8,\"i\":\"ae58ea8e-a23d-440d-8469-dc7f3f3f3e1e\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"ae58ea8e-a23d-440d-8469-dc7f3f3f3e1e\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"bf059760-95e6-46c2-bdc1-547af136837d\",\"w\":16,\"x\":0,\"y\":8},\"panelIndex\":\"bf059760-95e6-46c2-bdc1-547af136837d\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"4ecd24fc-90c0-42cf-9137-8e04474a0b9a\",\"w\":16,\"x\":16,\"y\":8},\"panelIndex\":\"4ecd24fc-90c0-42cf-9137-8e04474a0b9a\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":12,\"i\":\"6c43b47d-95bf-441e-ad97-43fa4caa3e1e\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6c43b47d-95bf-441e-ad97-43fa4caa3e1e\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":18,\"i\":\"d9013e57-9763-4ee5-ab25-2b0105ca4553\",\"w\":48,\"x\":0,\"y\":20},\"panelIndex\":\"d9013e57-9763-4ee5-ab25-2b0105ca4553\",\"panelRefName\":\"panel_5\",\"type\":\"search\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"d4ddeb5d-9d99-4163-9954-6aa50de01147\",\"w\":16,\"x\":0,\"y\":38},\"panelIndex\":\"d4ddeb5d-9d99-4163-9954-6aa50de01147\",\"panelRefName\":\"panel_6\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":14,\"i\":\"e6f63aa5-1f62-4d6e-b903-6d0c96926bb8\",\"w\":16,\"x\":16,\"y\":38},\"panelIndex\":\"e6f63aa5-1f62-4d6e-b903-6d0c96926bb8\",\"panelRefName\":\"panel_7\",\"type\":\"visualization\",\"version\":\"7.16.2\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":14,\"i\":\"13b27c09-267b-42f4-a67b-8a407a5b380c\",\"w\":16,\"x\":32,\"y\":38},\"panelIndex\":\"13b27c09-267b-42f4-a67b-8a407a5b380c\",\"panelRefName\":\"panel_8\",\"type\":\"visualization\",\"version\":\"7.16.2\"}]",
+ "timeRestore": false,
+ "title": "[Tenable SC] Vulnerabilities",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.2",
+ "id": "tenable_sc-b9b277f0-2c11-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "dashboard": "7.16.0"
+ },
+ "references": [
+ {
+ "id": "tenable_sc-d27cc590-88c5-11ec-a56b-9fd8deec1ba2",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-2b883920-88c7-11ec-a56b-9fd8deec1ba2",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-5bc40b40-2c16-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-d4fe2930-2c13-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-20a11b40-2c14-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-e23be000-8970-11ec-a56b-9fd8deec1ba2",
+ "name": "panel_5",
+ "type": "search"
+ },
+ {
+ "id": "tenable_sc-eccc5090-2cd2-11ec-af51-75b163cdcc43",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-7a7c8900-2c15-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-8f3552c0-2c13-11ec-b3e0-f3fd7c471f4b",
+ "name": "panel_8",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-d340bc30-30bd-11ec-b7d2-eba3454d2335.json b/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-d340bc30-30bd-11ec-b7d2-eba3454d2335.json
new file mode 100755
index 0000000000..a5244cc1d5
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/dashboard/tenable_sc-d340bc30-30bd-11ec-b7d2-eba3454d2335.json
@@ -0,0 +1,49 @@
+{
+ "attributes": {
+ "description": "",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "optionsJSON": "{\"hidePanelTitles\":false,\"syncColors\":false,\"useMargins\":true}",
+ "panelsJSON": "[{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"16dcc5a1-aa4f-4f44-940b-7917b408c492\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"16dcc5a1-aa4f-4f44-940b-7917b408c492\",\"panelRefName\":\"panel_0\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"09f26c22-2342-406d-bec0-7f42203e3c80\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"09f26c22-2342-406d-bec0-7f42203e3c80\",\"panelRefName\":\"panel_1\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"48d83932-2136-42fc-bf36-2b332dceebba\",\"w\":24,\"x\":24,\"y\":15},\"panelIndex\":\"48d83932-2136-42fc-bf36-2b332dceebba\",\"panelRefName\":\"panel_2\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{}},\"gridData\":{\"h\":15,\"i\":\"972fc33f-ca09-4df7-a8a1-2c26a8df9ab6\",\"w\":24,\"x\":0,\"y\":15},\"panelIndex\":\"972fc33f-ca09-4df7-a8a1-2c26a8df9ab6\",\"panelRefName\":\"panel_3\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"},{\"embeddableConfig\":{\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":15,\"i\":\"9ed95605-e96d-4fcd-b202-f53a565ade4a\",\"w\":24,\"x\":0,\"y\":30},\"panelIndex\":\"9ed95605-e96d-4fcd-b202-f53a565ade4a\",\"panelRefName\":\"panel_4\",\"type\":\"visualization\",\"version\":\"7.16.0-SNAPSHOT\"}]",
+ "timeRestore": false,
+ "title": "[Tenable SC] Assets",
+ "version": 1
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-d340bc30-30bd-11ec-b7d2-eba3454d2335",
+ "migrationVersion": {
+ "dashboard": "7.16.0"
+ },
+ "references": [
+ {
+ "id": "tenable_sc-8b4a4cd0-30bc-11ec-b7d2-eba3454d2335",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-b1c8bb30-30bc-11ec-b7d2-eba3454d2335",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-5de3dfd0-30bd-11ec-b7d2-eba3454d2335",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-c16a8ae0-30bd-11ec-b7d2-eba3454d2335",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "tenable_sc-773a1570-323a-11ec-b7d2-eba3454d2335",
+ "name": "panel_4",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard",
+ "updated_at": "2021-10-21T08:12:17.267Z",
+ "version": "WzM0NjgsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/search/tenable_sc-e23be000-8970-11ec-a56b-9fd8deec1ba2.json b/packages/tenable_sc/1.2.2/kibana/search/tenable_sc-e23be000-8970-11ec-a56b-9fd8deec1ba2.json
new file mode 100755
index 0000000000..2030b61199
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/search/tenable_sc-e23be000-8970-11ec-a56b-9fd8deec1ba2.json
@@ -0,0 +1,38 @@
+{
+ "attributes": {
+ "columns": [
+ "host.name",
+ "vulnerability.id",
+ "tenable_sc.vulnerability.exploit.is_available",
+ "tenable_sc.vulnerability.temporal_score",
+ "tenable_sc.vulnerability.is_vulnerability_published",
+ "tenable_sc.vulnerability.severity.description"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\"\"}}"
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "title": "[Tenable SC] Vulnerability Essential Details"
+ },
+ "coreMigrationVersion": "7.16.2",
+ "id": "tenable_sc-e23be000-8970-11ec-a56b-9fd8deec1ba2",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search"
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-12120d60-2c0e-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-12120d60-2c0e-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..c5df735da0
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-12120d60-2c0e-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"key\":\"tenable_sc.plugin.solution\",\"negate\":true,\"params\":{\"query\":\"\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"tenable_sc.plugin.solution\":\"\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.plugin\\\"\"}}"
+ },
+ "title": "[Tenable SC] Top 10 Most Common Solutions",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Most Common Solutions\",\"field\":\"tenable_sc.plugin.solution\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Tenable SC] Top 10 Most Common Solutions\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.15.0",
+ "id": "tenable_sc-12120d60-2c0e-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-14T09:47:28.992Z",
+ "version": "WzI0MTg4LDZd"
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-20a11b40-2c14-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-20a11b40-2c14-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..fda7d435e3
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-20a11b40-2c14-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,32 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tenable_sc.vulnerability.patch.is_published\",\"negate\":false,\"params\":{\"query\":true},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"tenable_sc.vulnerability.patch.is_published\":true}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\" \"}}"
+ },
+ "title": "[Tenable SC] Total Patched Vulnerabilities",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Patched Vulnerabilities\",\"field\":\"tenable_sc.vulnerability.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Tenable SC] Total Patched Vulnerabilities\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-20a11b40-2c14-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T11:23:26.501Z",
+ "version": "WzUzNDQsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-2b883920-88c7-11ec-a56b-9fd8deec1ba2.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-2b883920-88c7-11ec-a56b-9fd8deec1ba2.json
new file mode 100755
index 0000000000..f9956e2969
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-2b883920-88c7-11ec-a56b-9fd8deec1ba2.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "title": "[Tenable SC] Host Selector",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"host.hostname\",\"id\":\"1644314837318\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Hostname\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Tenable SC] Host Selector\",\"type\":\"input_control_vis\"}"
+ },
+ "coreMigrationVersion": "7.16.2",
+ "id": "tenable_sc-2b883920-88c7-11ec-a56b-9fd8deec1ba2",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "control_0_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-578e2360-2c0e-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-578e2360-2c0e-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..f2db956454
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-578e2360-2c0e-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.plugin\\\" \"}}"
+ },
+ "title": "[Tenable SC] Distribution of Plugins by Plugin Type",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.plugin.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Plugin Type\",\"field\":\"tenable_sc.plugin.type\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Distribution of Plugins by Plugin Type\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-578e2360-2c0e-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T09:26:13.313Z",
+ "version": "WzQwMjAsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-5bc40b40-2c16-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-5bc40b40-2c16-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..fb62dd1734
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-5bc40b40-2c16-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\" \"}}"
+ },
+ "title": "[Tenable SC] Total Vulnerabilities",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Vulnerabilities\",\"field\":\"tenable_sc.vulnerability.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Tenable SC] Total Vulnerabilities\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-5bc40b40-2c16-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T09:35:11.519Z",
+ "version": "WzQyNjYsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-5de3dfd0-30bd-11ec-b7d2-eba3454d2335.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-5de3dfd0-30bd-11ec-b7d2-eba3454d2335.json
new file mode 100755
index 0000000000..6490698172
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-5de3dfd0-30bd-11ec-b7d2-eba3454d2335.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.asset\\\" \"}}"
+ },
+ "title": "[Tenable SC] Distribution of Assets by Policy Name",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.asset.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Policy Name\",\"field\":\"tenable_sc.asset.policy.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Distribution of Assets by Policy Name\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-5de3dfd0-30bd-11ec-b7d2-eba3454d2335",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-21T08:10:56.520Z",
+ "version": "WzM0MTcsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-68ce24a0-2c0d-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-68ce24a0-2c0d-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..274a55a149
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-68ce24a0-2c0d-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.plugin\\\" \"}}"
+ },
+ "title": "[Tenable SC] Total Plugins",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Plugins\",\"field\":\"tenable_sc.plugin.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Tenable SC] Total Plugins\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-68ce24a0-2c0d-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-11-11T08:35:06.953Z",
+ "version": "WzkyMCwxXQ=="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-773a1570-323a-11ec-b7d2-eba3454d2335.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-773a1570-323a-11ec-b7d2-eba3454d2335.json
new file mode 100755
index 0000000000..848b094436
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-773a1570-323a-11ec-b7d2-eba3454d2335.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.asset\\\"\"}}"
+ },
+ "title": "[Tenable SC] Distribution of Assets in Repositories",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.asset.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Repository Name\",\"field\":\"tenable_sc.asset.repository.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Distribution of Assets in Repositories\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-773a1570-323a-11ec-b7d2-eba3454d2335",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-21T08:15:11.635Z",
+ "version": "WzM2MzQsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-7a7c8900-2c15-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-7a7c8900-2c15-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..24bf57e24a
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-7a7c8900-2c15-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\" \"}}"
+ },
+ "title": "[Tenable SC] Distribution of Vulnerabilities by Severity",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.vulnerability.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Severity\",\"field\":\"vulnerability.severity\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Distribution of Vulnerabilities by Severity\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-7a7c8900-2c15-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T09:35:11.519Z",
+ "version": "WzQyNzAsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8b4a4cd0-30bc-11ec-b7d2-eba3454d2335.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8b4a4cd0-30bc-11ec-b7d2-eba3454d2335.json
new file mode 100755
index 0000000000..d0e43ee9c1
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8b4a4cd0-30bc-11ec-b7d2-eba3454d2335.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.asset\\\"\"}}"
+ },
+ "title": "[Tenable SC] Total Assets",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Assets\",\"field\":\"tenable_sc.asset.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Tenable SC] Total Assets\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-8b4a4cd0-30bc-11ec-b7d2-eba3454d2335",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-21T06:27:59.104Z",
+ "version": "WzI1OTYsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8dd5b500-2c0e-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8dd5b500-2c0e-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..e092bb6421
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8dd5b500-2c0e-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.plugin\\\" \"}}"
+ },
+ "title": "[Tenable SC] Distribution of Plugins based on Risk Factors",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.plugin.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Risk Factors\",\"field\":\"tenable_sc.plugin.risk_factor\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Distribution of Plugins based on Risk Factors\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-8dd5b500-2c0e-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T09:26:13.313Z",
+ "version": "WzQwMjEsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8f3552c0-2c13-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8f3552c0-2c13-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..c870ea1458
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-8f3552c0-2c13-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\" \"}}"
+ },
+ "title": "[Tenable SC] Top 10 Vulnerable IPs",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.vulnerability.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Top Vulnerable IPs\",\"field\":\"tenable_sc.vulnerability.ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Tenable SC] Top 10 Vulnerable IPs\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-8f3552c0-2c13-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T09:35:11.519Z",
+ "version": "WzQyNzEsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-b1c8bb30-30bc-11ec-b7d2-eba3454d2335.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-b1c8bb30-30bc-11ec-b7d2-eba3454d2335.json
new file mode 100755
index 0000000000..3d080fd0e0
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-b1c8bb30-30bc-11ec-b7d2-eba3454d2335.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.asset\\\" \"}}"
+ },
+ "title": "[Tenable SC] Distribution of Assets by Repository data format",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.asset.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Repository data format\",\"field\":\"tenable_sc.asset.repository.data_format\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":5},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Distribution of Assets by Repository data format\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-b1c8bb30-30bc-11ec-b7d2-eba3454d2335",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-21T08:09:50.493Z",
+ "version": "WzMzNzAsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-c16a8ae0-30bd-11ec-b7d2-eba3454d2335.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-c16a8ae0-30bd-11ec-b7d2-eba3454d2335.json
new file mode 100755
index 0000000000..8882bd80a8
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-c16a8ae0-30bd-11ec-b7d2-eba3454d2335.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.asset\\\"\"}}"
+ },
+ "title": "[Tenable SC] Top 10 DNS Names",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.asset.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"DNS Name\",\"field\":\"tenable_sc.asset.dns.name\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showToolbar\":false,\"showTotal\":false,\"totalFunc\":\"sum\"},\"title\":\"[Tenable SC] Top 10 DNS Names\",\"type\":\"table\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-c16a8ae0-30bd-11ec-b7d2-eba3454d2335",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-21T08:10:17.107Z",
+ "version": "WzMzOTAsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-c7547240-2c0d-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-c7547240-2c0d-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..ae0b6b2aa3
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-c7547240-2c0d-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,27 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.plugin\\\" and tenable_sc.plugin.exploit.is_available : true \"}}"
+ },
+ "title": "[Tenable SC] Total Plugins with exploit available",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Plugins with Exploit Available\",\"field\":\"tenable_sc.plugin.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Tenable SC] Total Plugins with exploit available\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-c7547240-2c0d-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T09:26:13.313Z",
+ "version": "WzQwMTgsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-d27cc590-88c5-11ec-a56b-9fd8deec1ba2.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-d27cc590-88c5-11ec-a56b-9fd8deec1ba2.json
new file mode 100755
index 0000000000..7106586097
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-d27cc590-88c5-11ec-a56b-9fd8deec1ba2.json
@@ -0,0 +1,25 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"kuery\",\"query\":\"\"}}"
+ },
+ "title": "[Tenable SC] Vulnerability Selector",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[],\"params\":{\"controls\":[{\"fieldName\":\"vulnerability.id\",\"id\":\"1644314295235\",\"indexPatternRefName\":\"control_0_index_pattern\",\"label\":\"Vulnerability ID\",\"options\":{\"dynamicOptions\":true,\"multiselect\":true,\"order\":\"desc\",\"size\":5,\"type\":\"terms\"},\"parent\":\"\",\"type\":\"list\"}],\"pinFilters\":false,\"updateFiltersOnChange\":true,\"useTimeFilter\":false},\"title\":\"[Tenable SC] Vulnerability Selector\",\"type\":\"input_control_vis\"}"
+ },
+ "coreMigrationVersion": "7.16.2",
+ "id": "tenable_sc-d27cc590-88c5-11ec-a56b-9fd8deec1ba2",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "control_0_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-d4fe2930-2c13-11ec-b3e0-f3fd7c471f4b.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-d4fe2930-2c13-11ec-b3e0-f3fd7c471f4b.json
new file mode 100755
index 0000000000..fe1b5b9785
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-d4fe2930-2c13-11ec-b3e0-f3fd7c471f4b.json
@@ -0,0 +1,32 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tenable_sc.vulnerability.patch.is_published\",\"negate\":false,\"params\":{\"query\":false},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"tenable_sc.vulnerability.patch.is_published\":false}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\" \"}}"
+ },
+ "title": "[Tenable SC] Total Active Vulnerabilities",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Active Vulnerabilities\",\"field\":\"tenable_sc.vulnerability.custom_hash\"},\"schema\":\"metric\",\"type\":\"cardinality\"}],\"params\":{\"addLegend\":false,\"addTooltip\":true,\"metric\":{\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"invertColors\":false,\"labels\":{\"show\":true},\"metricColorMode\":\"None\",\"percentageMode\":false,\"style\":{\"bgColor\":false,\"bgFill\":\"#000\",\"fontSize\":60,\"labelColor\":false,\"subText\":\"\"},\"useRanges\":false},\"type\":\"metric\"},\"title\":\"[Tenable SC] Total Active Vulnerabilities\",\"type\":\"metric\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-d4fe2930-2c13-11ec-b3e0-f3fd7c471f4b",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T11:23:00.527Z",
+ "version": "WzUzMTEsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-dc64f5b0-2ccb-11ec-af51-75b163cdcc43.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-dc64f5b0-2ccb-11ec-af51-75b163cdcc43.json
new file mode 100755
index 0000000000..753ed39aeb
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-dc64f5b0-2ccb-11ec-af51-75b163cdcc43.json
@@ -0,0 +1,32 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tenable_sc.plugin.is_patch_published\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"tenable_sc.plugin.is_patch_published\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.plugin\\\"\"}}"
+ },
+ "title": "[Tenable SC] Plugin vulnerabilities with and without Patches",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Count\",\"field\":\"tenable_sc.plugin.id\"},\"schema\":\"metric\",\"type\":\"cardinality\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"filters\":[{\"input\":{\"language\":\"kuery\",\"query\":\"tenable_sc.plugin.is_patch_published : false \"},\"label\":\"Vulnerabilities without Patches\"},{\"input\":{\"language\":\"kuery\",\"query\":\"tenable_sc.plugin.is_patch_published : true \"},\"label\":\"Vulnerabilities with Patches\"}]},\"schema\":\"segment\",\"type\":\"filters\"}],\"params\":{\"addLegend\":true,\"addTooltip\":true,\"distinctColors\":false,\"isDonut\":false,\"labels\":{\"last_level\":false,\"percentDecimals\":2,\"position\":\"default\",\"show\":true,\"truncate\":100,\"values\":true,\"valuesFormat\":\"percent\"},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"nestedLegend\":false,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"truncateLegend\":true,\"type\":\"pie\"},\"title\":\"[Tenable SC] Plugin vulnerabilities with and without Patches\",\"type\":\"pie\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-dc64f5b0-2ccb-11ec-af51-75b163cdcc43",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-10-26T11:20:51.927Z",
+ "version": "WzUyNjEsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-eccc5090-2cd2-11ec-af51-75b163cdcc43.json b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-eccc5090-2cd2-11ec-af51-75b163cdcc43.json
new file mode 100755
index 0000000000..86d2122ba0
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/kibana/visualization/tenable_sc-eccc5090-2cd2-11ec-af51-75b163cdcc43.json
@@ -0,0 +1,32 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\",\"key\":\"tenable_sc.vulnerability.vpr.score\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"},\"query\":{\"exists\":{\"field\":\"tenable_sc.vulnerability.vpr.score\"}}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"query\":{\"language\":\"kuery\",\"query\":\"data_stream.dataset : \\\"tenable_sc.vulnerability\\\" \"}}"
+ },
+ "title": "[Tenable SC] Top 10 Vulnerabilities by VPR Score",
+ "uiStateJSON": "{}",
+ "version": 1,
+ "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"aggregate\":\"max\",\"customLabel\":\"VPR Score\",\"field\":\"tenable_sc.vulnerability.vpr.score\",\"json\":\"{\\\"sort\\\" : [{ \\\"tenable_sc.vulnerability.vpr.score\\\" : {\\\"unmapped_type\\\" : \\\"long\\\"} }]}\",\"size\":10,\"sortField\":\"tenable_sc.vulnerability.vpr.score\",\"sortOrder\":\"desc\"},\"schema\":\"metric\",\"type\":\"top_hits\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Vulnerability ID\",\"field\":\"tenable_sc.vulnerability.custom_hash\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_key\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"}],\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":true,\"show\":false,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"detailedTooltip\":true,\"grid\":{\"categoryLines\":false},\"labels\":{\"show\":false},\"legendPosition\":\"right\",\"maxLegendLines\":1,\"palette\":{\"name\":\"temperature\",\"type\":\"palette\"},\"radiusRatio\":0,\"seriesParams\":[{\"circlesRadius\":3,\"data\":{\"id\":\"1\",\"label\":\"VPR Score\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"thresholdLine\":{\"color\":\"#E7664C\",\"show\":false,\"style\":\"full\",\"value\":10,\"width\":1},\"times\":[],\"truncateLegend\":true,\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"VPR Score\"},\"type\":\"value\"}]},\"title\":\"[Tenable SC] Top 10 Vulnerabilities by VPR Score\",\"type\":\"histogram\"}"
+ },
+ "coreMigrationVersion": "7.16.0",
+ "id": "tenable_sc-eccc5090-2cd2-11ec-af51-75b163cdcc43",
+ "migrationVersion": {
+ "visualization": "7.14.0"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization",
+ "updated_at": "2021-11-16T08:25:19.158Z",
+ "version": "WzI2MzEsMV0="
+}
\ No newline at end of file
diff --git a/packages/tenable_sc/1.2.2/manifest.yml b/packages/tenable_sc/1.2.2/manifest.yml
new file mode 100755
index 0000000000..94689a3f68
--- /dev/null
+++ b/packages/tenable_sc/1.2.2/manifest.yml
@@ -0,0 +1,110 @@
+format_version: 1.0.0
+name: tenable_sc
+title: Tenable.sc
+# The version must be updated in the pipeline as well. Until elastic/kibana#121310 is implemented we will have to manually sync these.
+version: 1.2.2
+license: basic
+description: |
+ Collect logs from Tenable.sc with Elastic Agent.
+type: integration
+categories:
+ - security
+release: ga
+conditions:
+ kibana.version: ^8.1.0
+screenshots:
+ - src: /img/tenable_sc-screenshot.png
+ title: Tenable.sc vulnerability dashboard screenshot
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/tenable_sc-logo.svg
+ title: Tenable.sc logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: tenable_sc
+ title: Tenable.sc logs
+ description: Collect Tenable.sc logs
+ inputs:
+ - type: httpjson
+ vars:
+ - name: url
+ type: text
+ title: URL
+ description: URL for the Tenable.sc API (Add https:// before the url).
+ default: https://sc.tenalab.online
+ show_user: true
+ required: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ multi: false
+ required: false
+ show_user: false
+ - name: access_key
+ type: password
+ title: Access Key
+ description: Access key for the Tenable.sc API.
+ required: true
+ - name: secret_key
+ type: password
+ title: Secret Key
+ description: Secret key for the Tenable.sc API.
+ required: true
+ - name: batch_size
+ type: text
+ title: Batch Size
+ description: Batch size for the response of the Tenable.sc API.
+ default: 1000
+ required: true
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Tenable.sc API.
+ default: 1m
+ multi: false
+ required: true
+ show_user: true
+ - name: initial_interval
+ type: text
+ title: Initial Interval
+ description: How far back to pull the initial log from the Tenable.sc API.
+ default: 24h
+ multi: false
+ required: true
+ show_user: true
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ title: Collect Tenable.sc logs via API
+ description: Collect Tenable.sc Vulnerability, Asset, and Plugin logs
+owner:
+ github: elastic/security-external-integrations
diff --git a/packages/winlog/1.5.2/changelog.yml b/packages/winlog/1.5.2/changelog.yml
new file mode 100755
index 0000000000..55131bcf24
--- /dev/null
+++ b/packages/winlog/1.5.2/changelog.yml
@@ -0,0 +1,102 @@
+# newer versions go on top
+- version: "1.5.2"
+ changes:
+ - description: Add correct field mapping for event.created
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/3579
+- version: "1.5.1"
+ changes:
+ - description: update readme added link to Microsoft documentation and reworded a link
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/3177
+- version: "1.5.0"
+ changes:
+ - description: Update to ECS 8.2 (documentation reference only)
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2781
+- version: "1.4.0"
+ changes:
+ - description: Expose winlog input ignore_older option.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2542
+ - description: Fix preserve original event option
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2542
+ - description: Make order of options consistent with other winlog based integrations.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2542
+- version: "1.3.0"
+ changes:
+ - description: Expose winlog input language option.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2344
+- version: "1.2.0"
+ changes:
+ - description: Add 8.0.0 version constraint
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2268
+- version: "1.1.2"
+ changes:
+ - description: Uniform with guidelines
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2079
+- version: "1.1.1"
+ changes:
+ - description: Update Splunk input description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2067
+- version: "1.1.0"
+ changes:
+ - description: Consistently map message field in Windows integrations.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2008
+- version: "1.0.3"
+ changes:
+ - description: Update Title and Description.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1991
+- version: "1.0.2"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1860
+- version: "1.0.1"
+ changes:
+ - description: Fix drop_event processor example by using event ID string values in conditions.
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1755
+- version: "1.0.0"
+ changes:
+ - description: make GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1716
+- version: "0.4.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.3.0"
+ changes:
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1277
+- version: "0.2.2"
+ changes:
+ - description: Add support for Splunk authorization tokens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1147
+- version: "0.2.1"
+ changes:
+ - description: Change Splunk input to use the decode_xml_wineventlog processor.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/922
+- version: "0.2.0"
+ changes:
+ - description: Add Splunk httpjson input
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/884
+- version: "0.1.0"
+ changes:
+ - description: initial release
+ type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ link: https://github.com/elastic/integrations/pull/794
diff --git a/packages/winlog/1.5.2/data_stream/winlog/agent/stream/httpjson.yml.hbs b/packages/winlog/1.5.2/data_stream/winlog/agent/stream/httpjson.yml.hbs
new file mode 100755
index 0000000000..4d575f3f66
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,103 @@
+data_stream:
+ dataset: {{data_stream.dataset}}
+config_version: "2"
+interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+ - decode_json_fields:
+ fields: message
+ target: json
+ add_error_key: true
+ - drop_event:
+ when:
+ not:
+ has_fields: ['json.result']
+ - fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: "@metadata._id"
+ - drop_fields:
+ fields: message
+ - rename:
+ fields:
+ - from: json.result._raw
+ to: event.original
+ - from: json.result.host
+ to: host.name
+ - from: json.result.source
+ to: event.provider
+ ignore_missing: true
+ fail_on_error: false
+ - drop_fields:
+ fields: json
+ - decode_xml_wineventlog:
+ field: event.original
+ target_field: winlog
+ ignore_missing: true
+ ignore_failure: true
+ map_ecs_fields: true
+ - timestamp:
+ field: winlog.time_created
+ layouts:
+ - '2006-01-02T15:04:05Z'
+ - '2006-01-02T15:04:05.999Z'
+ - '2006-01-02T15:04:05.999-07:00'
+ test:
+ - '2019-06-22T16:33:51Z'
+ - '2019-11-18T04:59:51.123Z'
+ - '2020-08-03T07:10:20.123456+02:00'
diff --git a/packages/winlog/1.5.2/data_stream/winlog/agent/stream/winlog.yml.hbs b/packages/winlog/1.5.2/data_stream/winlog/agent/stream/winlog.yml.hbs
new file mode 100755
index 0000000000..0284cea2d0
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/agent/stream/winlog.yml.hbs
@@ -0,0 +1,23 @@
+condition: ${host.platform} == 'windows'
+data_stream:
+ dataset: {{data_stream.dataset}}
+name: {{channel}}
+{{#if preserve_original_event}}
+include_xml: true
+{{/if}}
+{{#if event_id}}
+event_id: {{event_id}}
+{{/if}}
+{{#if ignore_older}}
+ignore_older: {{ignore_older}}
+{{/if}}
+{{#if language}}
+language: {{language}}
+{{/if}}
+{{#if tags.length}}
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{/if}}
+{{custom}}
\ No newline at end of file
diff --git a/packages/winlog/1.5.2/data_stream/winlog/fields/base-fields.yml b/packages/winlog/1.5.2/data_stream/winlog/fields/base-fields.yml
new file mode 100755
index 0000000000..bd3bf4d2e9
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: winlog
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: winlog.winlog
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
diff --git a/packages/winlog/1.5.2/data_stream/winlog/fields/beats.yml b/packages/winlog/1.5.2/data_stream/winlog/fields/beats.yml
new file mode 100755
index 0000000000..ede6958855
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ description: Type of Filebeat input.
+ type: keyword
+- name: tags
+ type: keyword
+ description: User defined tags
diff --git a/packages/winlog/1.5.2/data_stream/winlog/fields/ecs.yml b/packages/winlog/1.5.2/data_stream/winlog/fields/ecs.yml
new file mode 100755
index 0000000000..1d1d28ce24
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/fields/ecs.yml
@@ -0,0 +1,24 @@
+- description: |-
+ ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
+ When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
+ name: ecs.version
+ type: keyword
+- description: |-
+ event.created contains the date/time when the event was first read by an agent, or by your pipeline.
+ This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
+ In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
+ In case the two timestamps are identical, @timestamp should be used.
+ name: event.created
+ type: date
+- description: |-
+ Original log level of the log event.
+ If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
+ Some examples are `warn`, `err`, `i`, `informational`.
+ name: log.level
+ type: keyword
+- description: |-
+ For log events the message field contains the log message, optimized for viewing in a log viewer.
+ For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
+ If multiple messages exist, they can be combined into one message.
+ name: message
+ type: match_only_text
diff --git a/packages/winlog/1.5.2/data_stream/winlog/fields/winlog.yml b/packages/winlog/1.5.2/data_stream/winlog/fields/winlog.yml
new file mode 100755
index 0000000000..cd357afbe9
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/fields/winlog.yml
@@ -0,0 +1,612 @@
+- name: winlog
+ type: group
+ description: >
+ All fields specific to the Windows Event Log are defined here.
+
+ fields:
+ - name: api
+ required: true
+ type: keyword
+ description: >
+ The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API.
+
+ The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
+
+ - name: activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
+
+ - name: channel
+ type: keyword
+ required: true
+ description: >
+ The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.
+
+ - name: computer_name
+ type: keyword
+ required: true
+ description: >
+ The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`.
+
+ - name: computerObject
+ type: group
+ description: >
+ computer Object data
+
+ fields:
+ - name: domain
+ type: keyword
+ - name: id
+ type: keyword
+ - name: name
+ type: keyword
+ - name: event_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.
+
+ - name: event_data
+ type: group
+ description: >
+ This is a non-exhaustive list of parameters that are used in Windows events. By having these fields defined in the template they can be used in dashboards and machine-learning jobs.
+
+ fields:
+ - name: AccessGranted
+ type: keyword
+ - name: AccessRemoved
+ type: keyword
+ - name: AccountDomain
+ type: keyword
+ - name: AccountExpires
+ type: keyword
+ - name: AccountName
+ type: keyword
+ - name: AllowedToDelegateTo
+ type: keyword
+ - name: AuditPolicyChanges
+ type: keyword
+ - name: AuditPolicyChangesDescription
+ type: keyword
+ - name: AuditSourceName
+ type: keyword
+ - name: AuthenticationPackageName
+ type: keyword
+ - name: Binary
+ type: keyword
+ - name: BitlockerUserInputTime
+ type: keyword
+ - name: BootMode
+ type: keyword
+ - name: BootType
+ type: keyword
+ - name: BuildVersion
+ type: keyword
+ - name: CallerProcessId
+ type: keyword
+ - name: CallerProcessName
+ type: keyword
+ - name: Category
+ type: keyword
+ - name: CategoryId
+ type: keyword
+ - name: ClientAddress
+ type: keyword
+ - name: ClientName
+ type: keyword
+ - name: CommandLine
+ type: keyword
+ - name: Company
+ type: keyword
+ - name: CorruptionActionState
+ type: keyword
+ - name: CrashOnAuditFailValue
+ type: keyword
+ - name: CreationUtcTime
+ type: keyword
+ - name: Description
+ type: keyword
+ - name: Detail
+ type: keyword
+ - name: DeviceName
+ type: keyword
+ - name: DeviceNameLength
+ type: keyword
+ - name: DeviceTime
+ type: keyword
+ - name: DeviceVersionMajor
+ type: keyword
+ - name: DeviceVersionMinor
+ type: keyword
+ - name: DisplayName
+ type: keyword
+ - name: DomainBehaviorVersion
+ type: keyword
+ - name: DomainName
+ type: keyword
+ - name: DomainPolicyChanged
+ type: keyword
+ - name: DomainSid
+ type: keyword
+ - name: DriveName
+ type: keyword
+ - name: DriverName
+ type: keyword
+ - name: DriverNameLength
+ type: keyword
+ - name: Dummy
+ type: keyword
+ - name: DwordVal
+ type: keyword
+ - name: EntryCount
+ type: keyword
+ - name: EventSourceId
+ type: keyword
+ - name: ExtraInfo
+ type: keyword
+ - name: FailureName
+ type: keyword
+ - name: FailureNameLength
+ type: keyword
+ - name: FailureReason
+ type: keyword
+ - name: FileVersion
+ type: keyword
+ - name: FinalStatus
+ type: keyword
+ - name: Group
+ type: keyword
+ - name: GroupTypeChange
+ type: keyword
+ - name: HandleId
+ type: keyword
+ - name: HomeDirectory
+ type: keyword
+ - name: HomePath
+ type: keyword
+ - name: IdleImplementation
+ type: keyword
+ - name: IdleStateCount
+ type: keyword
+ - name: ImpersonationLevel
+ type: keyword
+ - name: IntegrityLevel
+ type: keyword
+ - name: IpAddress
+ type: keyword
+ - name: IpPort
+ type: keyword
+ - name: KerberosPolicyChange
+ type: keyword
+ - name: KeyLength
+ type: keyword
+ - name: LastBootGood
+ type: keyword
+ - name: LastShutdownGood
+ type: keyword
+ - name: LmPackageName
+ type: keyword
+ - name: LogonGuid
+ type: keyword
+ - name: LogonHours
+ type: keyword
+ - name: LogonId
+ type: keyword
+ - name: LogonID
+ type: keyword
+ - name: LogonProcessName
+ type: keyword
+ - name: LogonType
+ type: keyword
+ - name: MachineAccountQuota
+ type: keyword
+ - name: MajorVersion
+ type: keyword
+ - name: MandatoryLabel
+ type: keyword
+ - name: MaximumPerformancePercent
+ type: keyword
+ - name: MemberName
+ type: keyword
+ - name: MemberSid
+ type: keyword
+ - name: MinimumPerformancePercent
+ type: keyword
+ - name: MinimumThrottlePercent
+ type: keyword
+ - name: MinorVersion
+ type: keyword
+ - name: MixedDomainMode
+ type: keyword
+ - name: NewProcessId
+ type: keyword
+ - name: NewProcessName
+ type: keyword
+ - name: NewSchemeGuid
+ type: keyword
+ - name: NewSd
+ type: keyword
+ - name: NewSdDacl0
+ type: keyword
+ - name: NewSdDacl1
+ type: keyword
+ - name: NewSdDacl2
+ type: keyword
+ - name: NewSdSacl0
+ type: keyword
+ - name: NewSdSacl1
+ type: keyword
+ - name: NewSdSacl2
+ type: keyword
+ - name: NewTargetUserName
+ type: keyword
+ - name: NewTime
+ type: keyword
+ - name: NewUACList
+ type: keyword
+ - name: NewUacValue
+ type: keyword
+ - name: NominalFrequency
+ type: keyword
+ - name: Number
+ type: keyword
+ - name: ObjectName
+ type: keyword
+ - name: ObjectServer
+ type: keyword
+ - name: ObjectType
+ type: keyword
+ - name: OemInformation
+ type: keyword
+ - name: OldSchemeGuid
+ type: keyword
+ - name: OldSd
+ type: keyword
+ - name: OldSdDacl0
+ type: keyword
+ - name: OldSdDacl1
+ type: keyword
+ - name: OldSdDacl2
+ type: keyword
+ - name: OldSdSacl0
+ type: keyword
+ - name: OldSdSacl1
+ type: keyword
+ - name: OldSdSacl2
+ type: keyword
+ - name: OldTargetUserName
+ type: keyword
+ - name: OldTime
+ type: keyword
+ - name: OldUacValue
+ type: keyword
+ - name: OriginalFileName
+ type: keyword
+ - name: PackageName
+ type: keyword
+ - name: PasswordLastSet
+ type: keyword
+ - name: PasswordHistoryLength
+ type: keyword
+ - name: Path
+ type: keyword
+ - name: ParentProcessName
+ type: keyword
+ - name: PerformanceImplementation
+ type: keyword
+ - name: PreviousCreationUtcTime
+ type: keyword
+ - name: PreAuthType
+ type: keyword
+ - name: PreviousTime
+ type: keyword
+ - name: PrimaryGroupId
+ type: keyword
+ - name: PrivilegeList
+ type: keyword
+ - name: ProcessId
+ type: keyword
+ - name: ProcessName
+ type: keyword
+ - name: ProcessPath
+ type: keyword
+ - name: ProcessPid
+ type: keyword
+ - name: Product
+ type: keyword
+ - name: ProfilePath
+ type: keyword
+ - name: PuaCount
+ type: keyword
+ - name: PuaPolicyId
+ type: keyword
+ - name: QfeVersion
+ type: keyword
+ - name: Reason
+ type: keyword
+ - name: SamAccountName
+ type: keyword
+ - name: SchemaVersion
+ type: keyword
+ - name: ScriptPath
+ type: keyword
+ - name: SidHistory
+ type: keyword
+ - name: ScriptBlockText
+ type: keyword
+ - name: Service
+ type: keyword
+ - name: ServiceAccount
+ type: keyword
+ - name: ServiceFileName
+ type: keyword
+ - name: ServiceName
+ type: keyword
+ - name: ServiceSid
+ type: keyword
+ - name: ServiceStartType
+ type: keyword
+ - name: ServiceType
+ type: keyword
+ - name: ServiceVersion
+ type: keyword
+ - name: SessionName
+ type: keyword
+ - name: ShutdownActionType
+ type: keyword
+ - name: ShutdownEventCode
+ type: keyword
+ - name: ShutdownReason
+ type: keyword
+ - name: SidFilteringEnabled
+ type: keyword
+ - name: Signature
+ type: keyword
+ - name: SignatureStatus
+ type: keyword
+ - name: Signed
+ type: keyword
+ - name: StartTime
+ type: keyword
+ - name: State
+ type: keyword
+ - name: Status
+ type: keyword
+ - name: StatusDescription
+ type: keyword
+ - name: StopTime
+ type: keyword
+ - name: SubCategory
+ type: keyword
+ - name: SubCategoryGuid
+ type: keyword
+ - name: SubcategoryGuid
+ type: keyword
+ - name: SubCategoryId
+ type: keyword
+ - name: SubcategoryId
+ type: keyword
+ - name: SubjectDomainName
+ type: keyword
+ - name: SubjectLogonId
+ type: keyword
+ - name: SubjectUserName
+ type: keyword
+ - name: SubjectUserSid
+ type: keyword
+ - name: SubStatus
+ type: keyword
+ - name: TSId
+ type: keyword
+ - name: TargetDomainName
+ type: keyword
+ - name: TargetInfo
+ type: keyword
+ - name: TargetLogonGuid
+ type: keyword
+ - name: TargetLogonId
+ type: keyword
+ - name: TargetServerName
+ type: keyword
+ - name: TargetSid
+ type: keyword
+ - name: TargetUserName
+ type: keyword
+ - name: TargetUserSid
+ type: keyword
+ - name: TdoAttributes
+ type: keyword
+ - name: TdoDirection
+ type: keyword
+ - name: TdoType
+ type: keyword
+ - name: TerminalSessionId
+ type: keyword
+ - name: TicketEncryptionType
+ type: keyword
+ - name: TicketEncryptionTypeDescription
+ type: keyword
+ - name: TicketOptions
+ type: keyword
+ - name: TicketOptionsDescription
+ type: keyword
+ - name: TokenElevationType
+ type: keyword
+ - name: TransmittedServices
+ type: keyword
+ - name: UserAccountControl
+ type: keyword
+ - name: UserParameters
+ type: keyword
+ - name: UserPrincipalName
+ type: keyword
+ - name: UserSid
+ type: keyword
+ - name: UserWorkstations
+ type: keyword
+ - name: Version
+ type: keyword
+ - name: Workstation
+ type: keyword
+ - name: WorkstationName
+ type: keyword
+ - name: param1
+ type: keyword
+ - name: param2
+ type: keyword
+ - name: param3
+ type: keyword
+ - name: param4
+ type: keyword
+ - name: param5
+ type: keyword
+ - name: param6
+ type: keyword
+ - name: param7
+ type: keyword
+ - name: param8
+ type: keyword
+ - name: event_id
+ type: keyword
+ required: true
+ description: >
+ The event identifier. The value is specific to the source of the event.
+
+ - name: keywords
+ type: keyword
+ required: false
+ description: >
+ The keywords are used to classify an event.
+
+ - name: level
+ type: keyword
+ required: false
+ description: >
+ The event severity. Levels are Critical, Error, Warning and Information, Verbose
+
+ - name: outcome
+ type: keyword
+ required: false
+ description: >
+ Success or Failure of the event.
+
+ - name: record_id
+ type: keyword
+ required: true
+ description: >
+ The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
+
+ - name: related_activity_id
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.
+
+ - name: opcode
+ type: keyword
+ required: false
+ description: >
+ The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
+
+ - name: provider_guid
+ type: keyword
+ required: false
+ description: >
+ A globally unique identifier that identifies the provider that logged the event.
+
+ - name: process.pid
+ type: long
+ required: false
+ description: >
+ The process_id of the Client Server Runtime Process.
+
+ - name: provider_name
+ type: keyword
+ required: true
+ description: >
+ The source of the event log record (the application or service that logged the record).
+
+ - name: task
+ type: keyword
+ required: false
+ description: >
+ The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
+
+ - name: time_created
+ type: keyword
+ required: false
+ description: >
+ Time event was created
+
+ - name: trustAttribute
+ type: keyword
+ required: false
+ - name: trustDirection
+ type: keyword
+ required: false
+ - name: trustType
+ type: keyword
+ required: false
+ - name: process.thread.id
+ type: long
+ required: false
+ - name: user_data
+ type: object
+ object_type: keyword
+ required: false
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ - name: user_data
+ type: group
+ description: >
+ The event specific data. This field is mutually exclusive with `event_data`.
+
+ fields:
+ - name: BackupPath
+ type: keyword
+ - name: Channel
+ type: keyword
+ - name: SubjectDomainName
+ type: keyword
+ - name: SubjectLogonId
+ type: keyword
+ - name: SubjectUserName
+ type: keyword
+ - name: SubjectUserSid
+ type: keyword
+ - name: xml_name
+ type: keyword
+ - name: user.identifier
+ type: keyword
+ required: false
+ example: S-1-5-21-3541430928-2051711210-1391384369-1001
+ description: >
+ The Windows security identifier (SID) of the account associated with this event.
+
+ If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
+
+ - name: user.name
+ type: keyword
+ description: >
+ Name of the user associated with this event.
+
+ - name: user.domain
+ type: keyword
+ required: false
+ description: >
+ The domain that the account associated with this event is a member of.
+
+ - name: user.type
+ type: keyword
+ required: false
+ description: >
+ The type of account associated with this event.
+
+ - name: version
+ type: long
+ required: false
+ description: The version number of the event's definition.
diff --git a/packages/winlog/1.5.2/data_stream/winlog/manifest.yml b/packages/winlog/1.5.2/data_stream/winlog/manifest.yml
new file mode 100755
index 0000000000..6b9b4669d7
--- /dev/null
+++ b/packages/winlog/1.5.2/data_stream/winlog/manifest.yml
@@ -0,0 +1,109 @@
+title: Custom Windows Event Log Dataset
+type: logs
+streams:
+ - input: winlog
+ description: Collect Windows event logs from a custom channel
+ title: Windows Event Logs
+ template_path: winlog.yml.hbs
+ vars:
+ - name: channel
+ type: text
+ title: Channel Name
+ description: >-
+ Name of Windows event log channel (eg. Microsoft-Windows-PowerShell/Operational)
+ required: true
+ show_user: true
+ - name: data_stream.dataset
+ type: text
+ title: Dataset name
+ description: >-
+ Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).
+ default: winlog.winlog
+ required: true
+ show_user: true
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: >-
+ Preserves a raw copy of the original XML event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: event_id
+ type: text
+ title: Event ID
+ description: >-
+ A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 IDs.
+ required: false
+ show_user: false
+ - name: ignore_older
+ type: text
+ title: Ignore events older than
+ default: 72h
+ required: false
+ show_user: false
+ description: >-
+ If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+ - name: language
+ type: text
+ title: Language ID
+ description: >-
+ The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c). It defaults to `0`, which indicates to use the system language. E.g.: `0x0409` for `en-US`
+ required: false
+ show_user: false
+ default: 0
+ - name: tags
+ type: text
+ title: Tags
+ description: Tags to include in the published event
+ required: false
+ multi: true
+ show_user: false
+ - name: custom
+ type: yaml
+ title: Custom Configurations
+ description: >-
+ YAML configuration options for winlog input. Be careful, this may break the integration.
+ required: false
+ show_user: false
+ default: |-
+ # Winlog configuration example
+ #processors:
+ # - drop_event.when.not.or:
+ # - equals.winlog.event_id: '903'
+ # - equals.winlog.event_id: '1024'
+ - input: httpjson
+ title: Windows ForwardedEvents via Splunk Enterprise REST API
+ description: Collect ForwardedEvents via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: true
+ required: true
+ default: "search sourcetype=\"XmlWinEventLog:ChannelName\""
+ - name: data_stream.dataset
+ type: text
+ title: Dataset name
+ description: >-
+ Dataset to write data to. Changing the dataset will send the data to a different index. You can't use `-` in the name of a dataset and only valid characters for [Elasticsearch index names](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html).
+ default: winlog.winlog
+ required: true
+ show_user: true
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
diff --git a/packages/winlog/1.5.2/docs/README.md b/packages/winlog/1.5.2/docs/README.md
new file mode 100755
index 0000000000..b29900062c
--- /dev/null
+++ b/packages/winlog/1.5.2/docs/README.md
@@ -0,0 +1,284 @@
+# Custom Windows event log package
+
+The custom Windows event log package allows you to ingest events from
+any [Windows event log](https://docs.microsoft.com/en-us/windows/win32/wes/windows-event-log) channel. You can get a list of available event
+log channels by running `Get-EventLog *` in PowerShell. Custom ingest
+pipelines may be added by setting one up in
+[Ingest Node Pipelines](/app/management/ingest/ingest_pipelines/).
+
+## Configuration
+
+### Ingesting Windows Events via Splunk
+
+This integration offers the ability to seamlessly ingest data from a Splunk Enterprise instance.
+These integrations work by using the [httpjson input](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html) in Elastic Agent to run a Splunk search via the Splunk REST API and then extract the raw event from the results.
+The raw event is then processed via the Elastic Agent.
+The Splunk search is customizable and the interval between searches is customizable.
+See the [Splunk API integration documentation](https://www.elastic.co/guide/en/observability/current/ingest-splunk.html) for more information.
+
+This integration requires Windows Events from Splunk to be in XML format.
+To achieve this, `renderXml` needs to be set to `1` in your [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file.
+
+## Logs
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| tags | User defined tags | keyword |
+| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
+| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
+| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
+| winlog.computerObject.domain | | keyword |
+| winlog.computerObject.id | | keyword |
+| winlog.computerObject.name | | keyword |
+| winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. | keyword |
+| winlog.event_data | The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
+| winlog.event_data.AccessGranted | | keyword |
+| winlog.event_data.AccessRemoved | | keyword |
+| winlog.event_data.AccountDomain | | keyword |
+| winlog.event_data.AccountExpires | | keyword |
+| winlog.event_data.AccountName | | keyword |
+| winlog.event_data.AllowedToDelegateTo | | keyword |
+| winlog.event_data.AuditPolicyChanges | | keyword |
+| winlog.event_data.AuditPolicyChangesDescription | | keyword |
+| winlog.event_data.AuditSourceName | | keyword |
+| winlog.event_data.AuthenticationPackageName | | keyword |
+| winlog.event_data.Binary | | keyword |
+| winlog.event_data.BitlockerUserInputTime | | keyword |
+| winlog.event_data.BootMode | | keyword |
+| winlog.event_data.BootType | | keyword |
+| winlog.event_data.BuildVersion | | keyword |
+| winlog.event_data.CallerProcessId | | keyword |
+| winlog.event_data.CallerProcessName | | keyword |
+| winlog.event_data.Category | | keyword |
+| winlog.event_data.CategoryId | | keyword |
+| winlog.event_data.ClientAddress | | keyword |
+| winlog.event_data.ClientName | | keyword |
+| winlog.event_data.CommandLine | | keyword |
+| winlog.event_data.Company | | keyword |
+| winlog.event_data.CorruptionActionState | | keyword |
+| winlog.event_data.CrashOnAuditFailValue | | keyword |
+| winlog.event_data.CreationUtcTime | | keyword |
+| winlog.event_data.Description | | keyword |
+| winlog.event_data.Detail | | keyword |
+| winlog.event_data.DeviceName | | keyword |
+| winlog.event_data.DeviceNameLength | | keyword |
+| winlog.event_data.DeviceTime | | keyword |
+| winlog.event_data.DeviceVersionMajor | | keyword |
+| winlog.event_data.DeviceVersionMinor | | keyword |
+| winlog.event_data.DisplayName | | keyword |
+| winlog.event_data.DomainBehaviorVersion | | keyword |
+| winlog.event_data.DomainName | | keyword |
+| winlog.event_data.DomainPolicyChanged | | keyword |
+| winlog.event_data.DomainSid | | keyword |
+| winlog.event_data.DriveName | | keyword |
+| winlog.event_data.DriverName | | keyword |
+| winlog.event_data.DriverNameLength | | keyword |
+| winlog.event_data.Dummy | | keyword |
+| winlog.event_data.DwordVal | | keyword |
+| winlog.event_data.EntryCount | | keyword |
+| winlog.event_data.EventSourceId | | keyword |
+| winlog.event_data.ExtraInfo | | keyword |
+| winlog.event_data.FailureName | | keyword |
+| winlog.event_data.FailureNameLength | | keyword |
+| winlog.event_data.FailureReason | | keyword |
+| winlog.event_data.FileVersion | | keyword |
+| winlog.event_data.FinalStatus | | keyword |
+| winlog.event_data.Group | | keyword |
+| winlog.event_data.GroupTypeChange | | keyword |
+| winlog.event_data.HandleId | | keyword |
+| winlog.event_data.HomeDirectory | | keyword |
+| winlog.event_data.HomePath | | keyword |
+| winlog.event_data.IdleImplementation | | keyword |
+| winlog.event_data.IdleStateCount | | keyword |
+| winlog.event_data.ImpersonationLevel | | keyword |
+| winlog.event_data.IntegrityLevel | | keyword |
+| winlog.event_data.IpAddress | | keyword |
+| winlog.event_data.IpPort | | keyword |
+| winlog.event_data.KerberosPolicyChange | | keyword |
+| winlog.event_data.KeyLength | | keyword |
+| winlog.event_data.LastBootGood | | keyword |
+| winlog.event_data.LastShutdownGood | | keyword |
+| winlog.event_data.LmPackageName | | keyword |
+| winlog.event_data.LogonGuid | | keyword |
+| winlog.event_data.LogonHours | | keyword |
+| winlog.event_data.LogonID | | keyword |
+| winlog.event_data.LogonId | | keyword |
+| winlog.event_data.LogonProcessName | | keyword |
+| winlog.event_data.LogonType | | keyword |
+| winlog.event_data.MachineAccountQuota | | keyword |
+| winlog.event_data.MajorVersion | | keyword |
+| winlog.event_data.MandatoryLabel | | keyword |
+| winlog.event_data.MaximumPerformancePercent | | keyword |
+| winlog.event_data.MemberName | | keyword |
+| winlog.event_data.MemberSid | | keyword |
+| winlog.event_data.MinimumPerformancePercent | | keyword |
+| winlog.event_data.MinimumThrottlePercent | | keyword |
+| winlog.event_data.MinorVersion | | keyword |
+| winlog.event_data.MixedDomainMode | | keyword |
+| winlog.event_data.NewProcessId | | keyword |
+| winlog.event_data.NewProcessName | | keyword |
+| winlog.event_data.NewSchemeGuid | | keyword |
+| winlog.event_data.NewSd | | keyword |
+| winlog.event_data.NewSdDacl0 | | keyword |
+| winlog.event_data.NewSdDacl1 | | keyword |
+| winlog.event_data.NewSdDacl2 | | keyword |
+| winlog.event_data.NewSdSacl0 | | keyword |
+| winlog.event_data.NewSdSacl1 | | keyword |
+| winlog.event_data.NewSdSacl2 | | keyword |
+| winlog.event_data.NewTargetUserName | | keyword |
+| winlog.event_data.NewTime | | keyword |
+| winlog.event_data.NewUACList | | keyword |
+| winlog.event_data.NewUacValue | | keyword |
+| winlog.event_data.NominalFrequency | | keyword |
+| winlog.event_data.Number | | keyword |
+| winlog.event_data.ObjectName | | keyword |
+| winlog.event_data.ObjectServer | | keyword |
+| winlog.event_data.ObjectType | | keyword |
+| winlog.event_data.OemInformation | | keyword |
+| winlog.event_data.OldSchemeGuid | | keyword |
+| winlog.event_data.OldSd | | keyword |
+| winlog.event_data.OldSdDacl0 | | keyword |
+| winlog.event_data.OldSdDacl1 | | keyword |
+| winlog.event_data.OldSdDacl2 | | keyword |
+| winlog.event_data.OldSdSacl0 | | keyword |
+| winlog.event_data.OldSdSacl1 | | keyword |
+| winlog.event_data.OldSdSacl2 | | keyword |
+| winlog.event_data.OldTargetUserName | | keyword |
+| winlog.event_data.OldTime | | keyword |
+| winlog.event_data.OldUacValue | | keyword |
+| winlog.event_data.OriginalFileName | | keyword |
+| winlog.event_data.PackageName | | keyword |
+| winlog.event_data.ParentProcessName | | keyword |
+| winlog.event_data.PasswordHistoryLength | | keyword |
+| winlog.event_data.PasswordLastSet | | keyword |
+| winlog.event_data.Path | | keyword |
+| winlog.event_data.PerformanceImplementation | | keyword |
+| winlog.event_data.PreAuthType | | keyword |
+| winlog.event_data.PreviousCreationUtcTime | | keyword |
+| winlog.event_data.PreviousTime | | keyword |
+| winlog.event_data.PrimaryGroupId | | keyword |
+| winlog.event_data.PrivilegeList | | keyword |
+| winlog.event_data.ProcessId | | keyword |
+| winlog.event_data.ProcessName | | keyword |
+| winlog.event_data.ProcessPath | | keyword |
+| winlog.event_data.ProcessPid | | keyword |
+| winlog.event_data.Product | | keyword |
+| winlog.event_data.ProfilePath | | keyword |
+| winlog.event_data.PuaCount | | keyword |
+| winlog.event_data.PuaPolicyId | | keyword |
+| winlog.event_data.QfeVersion | | keyword |
+| winlog.event_data.Reason | | keyword |
+| winlog.event_data.SamAccountName | | keyword |
+| winlog.event_data.SchemaVersion | | keyword |
+| winlog.event_data.ScriptBlockText | | keyword |
+| winlog.event_data.ScriptPath | | keyword |
+| winlog.event_data.Service | | keyword |
+| winlog.event_data.ServiceAccount | | keyword |
+| winlog.event_data.ServiceFileName | | keyword |
+| winlog.event_data.ServiceName | | keyword |
+| winlog.event_data.ServiceSid | | keyword |
+| winlog.event_data.ServiceStartType | | keyword |
+| winlog.event_data.ServiceType | | keyword |
+| winlog.event_data.ServiceVersion | | keyword |
+| winlog.event_data.SessionName | | keyword |
+| winlog.event_data.ShutdownActionType | | keyword |
+| winlog.event_data.ShutdownEventCode | | keyword |
+| winlog.event_data.ShutdownReason | | keyword |
+| winlog.event_data.SidFilteringEnabled | | keyword |
+| winlog.event_data.SidHistory | | keyword |
+| winlog.event_data.Signature | | keyword |
+| winlog.event_data.SignatureStatus | | keyword |
+| winlog.event_data.Signed | | keyword |
+| winlog.event_data.StartTime | | keyword |
+| winlog.event_data.State | | keyword |
+| winlog.event_data.Status | | keyword |
+| winlog.event_data.StatusDescription | | keyword |
+| winlog.event_data.StopTime | | keyword |
+| winlog.event_data.SubCategory | | keyword |
+| winlog.event_data.SubCategoryGuid | | keyword |
+| winlog.event_data.SubCategoryId | | keyword |
+| winlog.event_data.SubStatus | | keyword |
+| winlog.event_data.SubcategoryGuid | | keyword |
+| winlog.event_data.SubcategoryId | | keyword |
+| winlog.event_data.SubjectDomainName | | keyword |
+| winlog.event_data.SubjectLogonId | | keyword |
+| winlog.event_data.SubjectUserName | | keyword |
+| winlog.event_data.SubjectUserSid | | keyword |
+| winlog.event_data.TSId | | keyword |
+| winlog.event_data.TargetDomainName | | keyword |
+| winlog.event_data.TargetInfo | | keyword |
+| winlog.event_data.TargetLogonGuid | | keyword |
+| winlog.event_data.TargetLogonId | | keyword |
+| winlog.event_data.TargetServerName | | keyword |
+| winlog.event_data.TargetSid | | keyword |
+| winlog.event_data.TargetUserName | | keyword |
+| winlog.event_data.TargetUserSid | | keyword |
+| winlog.event_data.TdoAttributes | | keyword |
+| winlog.event_data.TdoDirection | | keyword |
+| winlog.event_data.TdoType | | keyword |
+| winlog.event_data.TerminalSessionId | | keyword |
+| winlog.event_data.TicketEncryptionType | | keyword |
+| winlog.event_data.TicketEncryptionTypeDescription | | keyword |
+| winlog.event_data.TicketOptions | | keyword |
+| winlog.event_data.TicketOptionsDescription | | keyword |
+| winlog.event_data.TokenElevationType | | keyword |
+| winlog.event_data.TransmittedServices | | keyword |
+| winlog.event_data.UserAccountControl | | keyword |
+| winlog.event_data.UserParameters | | keyword |
+| winlog.event_data.UserPrincipalName | | keyword |
+| winlog.event_data.UserSid | | keyword |
+| winlog.event_data.UserWorkstations | | keyword |
+| winlog.event_data.Version | | keyword |
+| winlog.event_data.Workstation | | keyword |
+| winlog.event_data.WorkstationName | | keyword |
+| winlog.event_data.param1 | | keyword |
+| winlog.event_data.param2 | | keyword |
+| winlog.event_data.param3 | | keyword |
+| winlog.event_data.param4 | | keyword |
+| winlog.event_data.param5 | | keyword |
+| winlog.event_data.param6 | | keyword |
+| winlog.event_data.param7 | | keyword |
+| winlog.event_data.param8 | | keyword |
+| winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
+| winlog.keywords | The keywords are used to classify an event. | keyword |
+| winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword |
+| winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
+| winlog.outcome | Success or Failure of the event. | keyword |
+| winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
+| winlog.process.thread.id | | long |
+| winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
+| winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
+| winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
+| winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. | keyword |
+| winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
+| winlog.time_created | Time event was created | keyword |
+| winlog.trustAttribute | | keyword |
+| winlog.trustDirection | | keyword |
+| winlog.trustType | | keyword |
+| winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
+| winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
+| winlog.user.name | Name of the user associated with this event. | keyword |
+| winlog.user.type | The type of account associated with this event. | keyword |
+| winlog.user_data | The event specific data. This field is mutually exclusive with `event_data`. | object |
+| winlog.user_data.BackupPath | | keyword |
+| winlog.user_data.Channel | | keyword |
+| winlog.user_data.SubjectDomainName | | keyword |
+| winlog.user_data.SubjectLogonId | | keyword |
+| winlog.user_data.SubjectUserName | | keyword |
+| winlog.user_data.SubjectUserSid | | keyword |
+| winlog.user_data.xml_name | | keyword |
+| winlog.version | The version number of the event's definition. | long |
+
diff --git a/packages/winlog/1.5.2/img/logo_windows.svg b/packages/winlog/1.5.2/img/logo_windows.svg
new file mode 100755
index 0000000000..953b33d8f5
--- /dev/null
+++ b/packages/winlog/1.5.2/img/logo_windows.svg
@@ -0,0 +1,3 @@
+
diff --git a/packages/winlog/1.5.2/manifest.yml b/packages/winlog/1.5.2/manifest.yml
new file mode 100755
index 0000000000..3732b67a42
--- /dev/null
+++ b/packages/winlog/1.5.2/manifest.yml
@@ -0,0 +1,85 @@
+format_version: 1.0.0
+name: winlog
+title: Custom Windows Event Logs
+description: Collect and parse logs from any Windows event log channel with Elastic Agent.
+type: integration
+version: 1.5.2
+release: ga
+conditions:
+ kibana.version: '^7.16.0 || ^8.0.0'
+license: basic
+categories:
+ - custom
+policy_templates:
+ - name: winlogs
+ title: Custom Windows event logs
+ description: Collect your custom Windows event logs.
+ inputs:
+ - type: winlog
+ title: Custom Windows event logs
+ description: Collect events from custom Windows event log channels.
+ multi: true
+ - type: httpjson
+ title: Collect logs from third-party REST API (experimental)
+ description: Collect logs from third-party REST API (experimental)
+ vars:
+ - name: url
+ type: text
+ title: URL of Splunk Enterprise Server
+ description: i.e. scheme://host:port, path is automatic
+ show_user: true
+ required: true
+ default: https://server.example.com:8089
+ - name: username
+ type: text
+ title: Splunk REST API Username
+ show_user: true
+ required: false
+ - name: password
+ type: password
+ title: Splunk REST API Password
+ show_user: true
+ required: false
+ - name: token
+ type: password
+ title: Splunk Authorization Token
+ description: |
+ Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+ or "Splunk 192fd3e...". Cannot be used with username
+ and password.
+ show_user: true
+ required: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+icons:
+ - src: "/img/logo_windows.svg"
+ type: "image/svg+xml"
+owner:
+ github: elastic/security-external-integrations